"Malware Samples Target Windows Installer Flaw"
According to researchers at Cisco Talos, there are malware samples in the wild attempting to exploit a recently disclosed zero-day flaw in Microsoft's Windows Installer software component. The exploitation of this flaw can allow an attacker with access to a limited user account to gain administrator privileges. The issue comes from an inadequate patch released on November 9 for CVE-2021-41379. On November 22, the researcher who originally discovered the flaw released proof-of-concept (PoC) exploit code on GitHub and other security researchers confirmed that the exploit code still worked. The vulnerability was initially ranked as a medium-severity flaw with a CVSS base score of 5.5. An attacker would need to gain access to the targeted system and be able to execute low-privilege code to exploit the initial flaw. However, the release of functional PoC is expected to drive additional exploitation of the vulnerability. Jaeson Schultz, the technical leader with Cisco Talos, said three malware samples related to the flaw have been found. Using CVE-2021-41379, an attacker could abuse the Windows Installer service by creating a junction. Meanwhile, the PoC exploit code allows an attacker to overwrite the discretionary access control list (DACL) for Microsoft Edge Elevation Service that identifies users who are allowed or denied access to different securable objects. This would allow a malicious actor to replace any executable file on the system with an MSI file and run code as an administrator. The vulnerability affects versions of Microsoft Windows, including Windows 11 and Server 2022. This article continues to discuss the discovery of malware samples targeting a local privilege escalation flaw in Windows Installer.