A security researcher posted details on an elevation of privilege flaw in Microsoft Windows that could allow an attacker to gain administrator rights.
Abdelhamid Naceri told SearchSecurity he did not notify Microsoft before posting the proof of concept Sunday for a flaw which is related to a vulnerability Microsoft had previously attempted to address. The CVE-2021-41379 privilege escalation vulnerability in Windows Installer was supposed to have been fixed with the November Patch Tuesday update.
Naceri, however, found that the patch does not fully close up the vulnerability, and an attacker who had an end-user account would still be able to exploit it and gain administrator rights on even fully-patched Windows and Windows Server machines.
"The best workaround available at the time of writing this is to wait [for] Microsoft to release a security patch, due to the complexity of this vulnerability," Naceri said in his write-up of the exploit.
"Any attempt to patch the binary directly will break Windows Installer."
Naceri said he found a second Windows Installer vulnerability as well, but is holding off on disclosure until this bug can be patched.
One possible bit of good news for enterprise security teams is that Naceri said he does not believe his exploit could be chained with other flaws to create something on the scale of a remote takeover attack, so for now the vulnerability would require the attacker to already have a local user account on the targeted machine. However, getting that access could be as simple as phishing an end user for their account credentials.
The disclosure will be a particularly unwelcome bit of news for administrators in the U.S., where many companies are planning to take a short week for the November 25th Thanksgiving holiday. CISA this week published an advisory reminding critical infrastructure organizations that several ransomware attacks this have taken place around holiday weekends, such the attack on Kaseya and its managed service provider customers.
"We are aware of the disclosure and will do what is necessary to keep our customers safe and protected," a Microsoft spokesperson told SearchSecurity. "An attacker using the methods described must already have access and the ability to run code on a target victim's machine."
According to Cisco Talos, which posted a set of Snort rules to help guard against exploitation, the vulnerability is already being targeted in the wild.
"The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator," explained Cisco Talos technical leader Jaeson Schultz.
"Although Microsoft initially scored this as a medium-severity vulnerability, having a base CVSS score of 5.5, and a temporal score of 4.8, the release of functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability."