All popular and currently supported versions of the Windows Operating System are vulnerable to a serious security vulnerability. The latest Zero-Day bug, dubbed “InstallerFileTakeOver” is a Local Privilege-Elevation vulnerability that grants control of fully patched Windows 10, 11, and Server systems.
Abdelhamid Naceri, the author who first discovered and named the Zero-Day security vulnerability has published the Proof-of-Concept (POC) code onto the Microsoft-owned GitHub. Preliminary testing confirms the bug can grant Administrator-level access to low-level accounts on any Windows OS version.
Microsoft poorly patched CVE-2021-41379, which resulted in InstallerFileTakeOver bug:
Security researcher Abdelhamid Naceri was analyzing a patch that Microsoft had released to address CVE-2021-41379, a security loophole with similar powers. Needless to mention, Microsoft has clearly failed to address the bug. This resulted in the InstallerFileTakeOver bug.
Naceri has indicated that the new variant is more powerful than the original. It completely bypasses the Group Policy included in the administrative install feature of Windows.
Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11.
The prior patch MS issued didn't fix the issue properly. https://t.co/OEdmtlMZvY
— Kevin Beaumont (@GossiTheDog) November 22, 2021
Using this exploit an attacker gains Administrator-level rights. Consequentially, attackers can replace any executable file on the system with an MSI file. Essentially, attackers can potentially gain complete control.
“While group policy by default doesn’t allow standard users to do any MSI operation. The administrative install feature thing seems to be completely bypassing group policy,” noted Naceri.
The latest Zero-Day security vulnerability in all versions of Windows OS remains unpatched, and is exploited in the wild:
It is concerning to note that there’s no patch for the security vulnerability. Moreover, researchers have discovered malware samples “in the wild”.
This clearly means that some threat actors are aware of the exploit and are creating software to take advantage of the same.
Yeah, this LPE indeed works fine on a fully-patched Windows 11 system. https://t.co/7v0oXSZrnM pic.twitter.com/kvvISKabeG
— Will Dormann (@wdormann) November 22, 2021
Microsoft has yet to fully patch the previous loophole that exposed Windows 10 and 11 to the Local Privilege-Escalation security threat.
Naceri has observed that Windows OS users can only wait for Microsoft to release another security patch because of the complexity of the vulnerability. This is because any workaround for the bug, “breaks windows installer.”
It is important to note that popular antivirus and anti-malware platforms can detect and stop the majority of such attacks. Hence it is critical to regularly update all security-related applications.