IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft patch fails to fix Installer zero-day affecting every version of Windows

The exploit allows hackers to elevate privileges and create admin accounts

A hand holding a magnifying glass reveals a red lock, unlocked among several blue locked locks

Cyber criminals are testing out a proof-of-concept malware that targets a zero-day escalation of privilege exploit in the Microsoft Windows Installer.

The flaw, which enables hackers with a limited user account to elevate their privileges to become an administrator, affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022.

Malware samples have already been detected in the wild that are attempting to take advantage of this vulnerability, according to a blog post by security researchers at Cisco Talos.

It was security researcher Abdelhamid Naceri who initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. Microsoft then released an update that was intended to fix CVE-2021-41379 on 9 November as part of its monthly security update.

However, the patch failed to fix the vulnerability, and Naceri published a proof-of-concept exploit code on GitHub on 22 Nov that still works despite the fixes implemented by Microsoft.

“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator,” said Jaeson Schultz, technical leader for Cisco's Talos Security Intelligence & Research Group.

Related Resource

Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide

The whitepaper title on a strip of swirling blue and purple diagonal across the pageFree download

According to a posting by Naceri on GitHub, the technique may not work on every installation, because windows installations, such as server 2016 and 2019, may not have the elevation service.

“I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself,” he said.

Naceri added that the best workaround available at the time of writing this is to wait for Microsoft to release a security patch, due to the complexity of this vulnerability.

“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again,” he said.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

How to reinstall Windows 10 without losing data
Microsoft Windows

How to reinstall Windows 10 without losing data

24 Nov 2022
17 Windows 10 problems and how to fix them
operating systems

17 Windows 10 problems and how to fix them

24 Nov 2022
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

17 Nov 2022
How to fix a stuck Windows 10 update
operating systems

How to fix a stuck Windows 10 update

14 Nov 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022