HomesecurityMalware tries to take advantage of the new Windows Installer zero-day

Malware tries to take advantage of the new Windows Installer zero-day

Malicious agents have already started testing a proof-of-concept exploit, targeting a new Microsoft Windows Installer zero-day, which was publicly revealed by the security researcher Abdelhamid Naceri the weekend.

Windows Installer

See also: Released patch for Exploit RCE error in Microsoft Exchange

"Talos has already detected samples of malware trying to exploit this vulnerability" said ο Jaeson Schultz, Technical Director of Cisco's Talos Security Intelligence & Research Group.

However, according to his statements Nick Biasini, head of Cisco Talos' Outreach division, said these exploitation attempts are part of low-volume attacks, possibly focusing on trials and adjustments.

«During our research, we looked at recent malware samples and were able to identify many that were already trying to exploit exploit.", Said Biasini.

«Given that the volume is low, these are probably people who are working on proof of concept code or testing it for future campaigns. This is just another proof of how quickly intruders work to take advantage of a publicly available exploit.»

This vulnerability is a local privilege scaling error found as a bypass in a patch released by Microsoft during Patch Tuesday for November 2021, to address a defect identified as CVE-2021-41379.

See also: New Windows zero-day allows administrator privileges


On Sunday, Naceri released a functional proof-of-concept exploit for this new zero-day, saying it works on all supported versions of Windows.

If exploited successfully, this bypass gives SYSTEM intruders permissions on updates that run the latest versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

SYSTEM privileges are the highest user rights available to Windows users and enable any operating system command to be executed.

By exploiting this flaw, intruders with limited access to compromised systems can easily increase their privileges to achieve lateral spread within the victim network.

See also: FBI: Sophisticated team exploits a zero-day on FatPipe VPNs

A Microsoft spokesman said: "We are aware of the disclosure and will do whatever it takes to keep our customers safe and secure. An attacker using the methods described must already have access and the ability to execute code on the target victim's computer.»

Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement