Nov 24, 2021
0 0

Malware now trying to exploit new Windows Installer zero-day

Written by

Apple sues spyware-maker NSO Group, notifies iOS exploit targets
Over nine million Android devices infected by info-stealing trojan
Exploit released for Microsoft Exchange RCE bug, patch now
Malware now trying to exploit new Windows Installer zero-day
Germany to force ISPs to give discounts for slow Internet speeds
Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds
FBI: Online shoppers risk losing over $53M to holiday scams
Stealthy new JavaScript malware infects Windows PCs with RATs
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Malware now trying to exploit new Windows Installer zero-day
Malware creators have already started testing a proof-of-concept exploit targeting a new Microsoft Windows Installer zero-day publicly disclosed by security researcher Abdelhamid Naceri over the weekend.
“Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability,” said Jaeson Schultz, Technical Leader for Cisco’s Talos Security Intelligence & Research Group.
However, as Cisco Talos’ Head of Outreach Nick Biasini told BleepingComputer, these exploitation attempts are part of low volume attacks likely focused on testing and tweaking exploits for full-blown campaigns.
“During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit,” Biasini told BleepingComputer.
“Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit.”
The vulnerability in question is a local privilege elevation bug found as a bypass to a patch Microsoft released during November 2021’s Patch Tuesday to address a flaw tracked as CVE-2021-41379.
On Sunday, Naceri published a working proof-of-concept exploit for this new zero-day, saying it works on all supported versions of Windows.
If successfully exploited, this bypass gives attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.
SYSTEM privileges are the highest user rights available to a Windows user and make it possible to perform any operating system command.
By exploiting this zero-day, attackers with limited access to compromised systems can easily elevate their privileges to help spread laterally within a victim’s network.
BleepingComputer has tested Naceri’s exploit and used it to successfully open a command prompt with SYSTEM permissions from an account with low-level ‘Standard’ privileges.
“The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability,” explained Naceri.
“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.”
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” a Microsoft spokesperson told BleepingComputer when asked for more details regarding this vulnerability.
New Windows zero-day with public exploit lets you become an admin
Microsoft increases Windows 11 rollout pace to Windows 10 devices
Zero-day bug in all Windows versions gets free unofficial patch
Windows 10 App Installer abused in BazarLoader malware attacks
Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
Not a member yet? Register Now
Over nine million Android devices infected by info-stealing trojan
New Windows zero-day with public exploit lets you become an admin
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.