CVE-2021-41379 is an elevation-of-privilege vulnerability which Microsoft fixed earlier this month. However, it turns out that there is another, “more powerful” variant, discovered by security researcher Abdelhamid Naceri. He came across a Windows Installer EoP flaw patched by Microsoft several weeks ago as part of November 2021 Patch Tuesday.
The Story Behind CVE-2021-41379 Elevation of Privilege Bug
Naceri analyzed the official patch and found a bypass, alongside an even more dangerous zero-day privilege escalation issue. A proof-of-concept code exploit code, dubbed InstallerFileTakeOver, is also available on GitHub. The vulnerability can be exploited against all currently supported Windows OS versions, enabling threat actors to take over Windows 10, Windows 11 and Windows Server. The only necessary condition is being logged onto a Windows machine that has the Edge browser installed.
As pointed out by Cisco Talos in a separate analysis of the happening, “the patch released by Microsoft was not sufficient to remediate the vulnerability, and Naceri published proof-of-concept exploit code on GitHub on Nov. 22 that works despite the fixes implemented by Microsoft.”
The InstallerFileTakeOver PoC exploit leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, thus enabling threat actors to run code as an administrator.
CVE-2021-41379 was initially given a medium-severity status, but the release of the fully functional proof-of-concept adds another threat level to the vulnerability. Currently, there is no fix available from Microsoft.
In 2020, another Microsoft vulnerability stood out in the bug crowd, as the company failed to address it for 2 years.
CVE-2020-1464 vulnerability was part of the 120 security flaws addressed in last year’s August’s Patch Tuesday. The bug was actively expoited in malicious attacks for at least two years before Microsoft fixed it. The issue was a spoofing flaw triggered by the incorrect way Windows validates file signatures. In case of a successful exploit, the attacker could bypass security features and load improperly signed files.