A security researcher has published details of a vulnerability in Microsoft Windows that could allow an attacker to gain administrative rights.

Abdelhamid Naceri told SearchSecurity that he did not notify Microsoft before sending the conceptual evidence Sunday for a bug related to a vulnerability Microsoft previously tried to fix. The Windows Installer Elevation Vulnerability CVE-2021-41379 should be resolved with the November Patch Tuesday To update.

However, Naceri found that the patch does not fully address the vulnerability and that an attacker with an end user account would still be able to exploit it and gain administrator rights even on fully patched Windows and Windows Server machines.

“The best workaround available at the time of this writing is to wait for Microsoft to release a security patch due to the complexity of this vulnerability,” said Naceri in his report on the exploit. “Any attempt to patch the binary directly will damage Windows Installer.”

Naceri said he had also found a second vulnerability in Windows Installer, but is waiting to disclose it until this bug can be fixed.

Possible good news for corporate security teams is that Naceri said he didn’t think his exploit could be concatenated with other bugs to create something on the scale of a remote takeover attack to create a local user account on the target computer. However, gaining this access can be as simple as phishing an end user for their account credentials.

The reveal will be particularly unwelcome news for administrators in the United States, where many companies are planning to set aside a short week for the November 25th Thanksgiving holiday. KAG this week published a notice Remind critical infrastructure companies that multiple ransomware attacks occurred over holiday weekends, such as: the attack on Kaseya and its managed service provider customers.

“We are aware of the disclosure and will do everything necessary to protect our customers and protect them,” said a Microsoft spokesman for SearchSecurity. “An attacker using the methods described must already have access and the ability to execute code on the target victim’s computer.”

According to Cisco Talos, that posted a number of Snort rules In order to protect against exploitation, the vulnerability is attacked in the wild.

“The code published by Naceri uses the Discretionary Access Control List (DACL) for Microsoft Edge Elevation Service to replace every executable file on the system with an MSI file so that an attacker can execute code as an administrator,” said Jaeson Schultz, technical director of Cisco Talos.

“Although Microsoft initially rated this vulnerability as a moderate level, with a CVSS base value of 5.5 and a time value of 4.8, the release of working proof-of-concept exploit code will certainly add to another abuse of this vulnerability to lead.”

Source link
#Explorer #deletes #Instant #Admin #Windows #zeroday #bug

Leave a Reply