Every version of Windows is at risk due to a scary zero-day vulnerability after Microsoft failed to properly patch a similar flaw, a cybersecurity researcher claims.
The newly discovered exploit is currently a proof-of-concept, but researchers believe ongoing small-scale testing and tweaking is setting the stage for a wider-reaching attack.
“During our investigation, we looked at recent malware samples and were able to identify several [bad actors] that were already attempting to leverage the exploit,” Nic Biasini, Cisco Talos’ head of outreach, told BleepingComputer. “Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns.”
The vulnerability takes advantage of a Windows Installer bug (tracked as CVE-2021-41379) that Microsoft claims to have patched earlier this month. This new variant gives users the ability to elevate local privileges to SYSTEM privileges, the highest user rights available on Windows. Once in place, malware creators can use those privileges to replace any executable file on the system with an MSI file to run code as an admin. In short, they can take over the system.
Over the weekend, security researcher Abdelhamid Naceri, who discovered the initial flaw, published to Github a proof-of-concept exploit code that works despite Microsoft’s patch release. Even worse, Naceri believes this new version is even more dangerous because it bypasses the group policy included in the admin install of Windows.
“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” Naceri wrote.
BleepingComputer tested Naceri’s exploit and, within “a few seconds,” used it to open a command prompt with SYSTEM permissions from an account with “standard” privileges.
While you shouldn’t be too worried just yet, this vulnerability could put billions of systems at risk if it’s allowed to spread. It’s worth reiterating that this exploit gives attackers admin privileges on the latest Windows OS versions, including Windows 10 and Windows 11–we’re talking about more than 1 billion systems. This isn’t a remote exploit though, so bad actors would need physical access to your device to carry out the attack.
Microsoft labeled the initial vulnerability as medium-severity, but Jaeson Schultz, a technical leader for Cisco’s Talos Security Intelligence & Research Group, stressed in a blog post that the existence of functional proof-of-concept code means the clock is ticking on Microsoft releasing a patch that actually works. As it stands, there is no fix or workaround for this flaw.
Naseri, who told BleepingComputer that he didn’t give Microsoft notice about the vulnerability before going public as a way to petition against smaller payouts in Microsoft’s bug bounty program, advises against third-party companies releasing their own patches because doing so could break the Windows installer.
Microsoft is aware of the vulnerability but didn’t provide a timeline for when it will release a fix.
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” Microsoft told BleepingComputer.
The company usually pushes out patches on “Patch Tuesday,” or the second Tuesday of each month.
Update 2:00 AM ET: We’ve updated the headline and lede to specify the source of these cybersecurity flaw claims (that source being cybersecurity researcher Abdelhamid Naceri). Microsoft has responded to Gizmodo’s story by clarifying that the company did fix the original flaw. Naceri believes Microsoft didn’t “correctly” make that fix; he claims to have found a bypass for the patch. We’ve adjusted our headline accordingly. From Microsoft:
“[The] vulnerability disclosed is a separate vulnerability. It is inaccurate to say that Microsoft did not fix CVE-2021-41379.”
The company has not provided an update on the newer variant Naceri revealed.