Windows Installer zero-day under active exploitation

McAfee said the Windows Installer vulnerability is being exploited in 23 countries around the world, including the United States, China, India and others.

An elevation of privilege flaw in Microsoft's Windows Installer is now under active exploitation, and there's no patch in sight.

A proof of concept for the Windows Installer vulnerability was published earlier this month by researcher Abdelhamid Naceri. An attacker who exploits the flaw could potentially gain administrator rights.

The vulnerability is a variant of CVE-2021-41379, a similar flaw also discovered by Naceri that was seemingly fixed in the November Patch Tuesday update. However, Naceri found that the update did not fully fix the problem, and during the analysis he discovered the new variant.

Naceri said in his proof of concept for the new Windows Installer flaw that "the best workaround available at the time of writing this is to wait [for] Microsoft to release a security patch, due to the complexity of this vulnerability."

UPDATE 11/30: Naceri Tuesday published a temporary fix for the variant.

Since the proof of concept was posted on Nov. 21, at least two vendors, Cisco Talos and McAfee, have reported exploitation associated with the new variant of CVE-2021-41379.

Talos Security Intelligence and Research Group technical leader Jaeson Schultz wrote in a Nov. 23 blog that Cisco Talos had detected malware samples attempting to exploit the flaw.

McAfee chief scientist Raj Samani tweeted Monday that McAfee had detected exploitation in "23 countries and multiple sectors." The countries include the United States, Canada, China, India, Brazil and others; three of the highest prevalence rates can be seen in Saudi Arabia, Ukraine and Belgium. While McAfee reported the activity, which is rated as "high" threat severity, as exploitation of CVE-2021-41379, the alert referenced the public PoC for Naceri's variant.

Naceri told SearchSecurity last week that his exploit could not be chained with other vulnerabilities for a remote takeover attack. In a follow-up direct message Monday, he reaffirmed that point and said attackers can do plenty with the flaw even though it's only exploitable locally.

"The vulnerability cannot be exploited remotely -- only and strictly locally," Naceri said. "The problem is, these kinds of bugs are actually really valuable. Gaining code execution as an unprivileged user is easy nowadays, using either n-day vulnerabilities or social engineering. But having administrative privileges can be a hard task to achieve. In some scenarios, if an attacker compromised a machine of the domain, he could eventually take over the entire domain."

Naceri also said the Windows Installer variant will have its own CVE.

A Microsoft spokesperson said in an email to SearchSecurity that the company "is aware of a different vulnerability disclosure from one of the original finders of CVE-2021-41379" but did not say whether a patch was in development.

The spokesperson also said CVE-2021-41379 was fully patched.

"We released an update for CVE-2021-41379 during the November Update Tuesday 11B release. Customers who have applied the update are protected against this vulnerability," they said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing