[MART] - Daily Diary #396 - Microsoft Installer Zero-Day Exploited In The Wild

CTAS-MAT ctas-mat at appgate.com
Tue Nov 23 21:05:52 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

11/23/2021 - Diary entry #396:

Microsoft Windows Installer is a common file type (.msi) used on Windows as a package to install software and it's abused by threat actors to deliver malware samples. Recently, on November 9, a zero-day elevation of privilege vulnerability was disclosed, that affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022.

Tracked as CVE-2021-41379, it allows a limited user account to elevate its privileges to become an administrator. Microsoft released a patch during the November Patch Tuesday. However, it was not enough to remediate the vulnerability. The security researcher responsible for the discovery, published on November 22, a PoC exploit code variant on GitHub that was discovered during the analysis of the CVE-2021-41379 patch.

The proof of concept overwrites Microsoft Edge elevation service DACL and copies itself to the service location and executes it to gain elevated privileges. This vulnerability has a low CVSS score of 5.5, but since the release of the PoC exploit code, threat actors already started to abuse it in the wild.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211123/95dee9ca/attachment.htm>

More information about the MART mailing list