Hackers Exploiting zero-day

Today, Cisco Talos is releasing SNORT rules to protect against the exploitation of a zero-day elevation of privilege vulnerability in Microsoft Windows Installer (MSI). 

This vulnerability is similar to the MSI installer vulnerability that was exploited during the WannaCry campaign. While by exploiting this vulnerability, a low-privileged user can easily take on administrative privileges on the target system.

All the versions of Microsoft Windows are affected by this vulnerability, including the fully patched Windows 11 and Server 2022 as well.

Apart from this, Talos is always on the lookout for malware and has already found malware samples exploiting this vulnerability in the wild.

As part of the monthly security update, Microsoft has already released an update on Nov. 9 to fix the “CVE-2021-41379,” it is a Windows Installer Elevation of Privilege Vulnerability. 

While Microsoft has addressed this elevation of privilege vulnerability with the help of Abdelhamid Naceri, a security researcher who initially discovered this flaw.

But, later on, Nov. 22, Abdelhamid Naceri published a proof-of-concept exploit code on GitHub and claimed that the update with the fix for this vulnerability from Microsoft was not sufficient.

Here, to replace any executable file on the system with an MSI file, Naceri successfully leveraged the DACL (Discretionary Access Control List) for Microsoft Edge Elevation Service. In short, an attacker with this exploit can easily run any code as an administrator.

Initially, Microsoft scored this vulnerability with a severity range of “medium,” a base CVSS score of 5.5, and a temporal score of 4.8.

But, what’s clear for now is that the functional proof-of-concept exploits code will definitely lucrate further abuse of this security flaw.

Is there any patch available?

The most exact short answer is “No,” till now, Microsoft hasn’t released any patch to fix this vulnerability. But, the experts at Cisco Talos have recommended a few recommendations, and here they are:-

Snort rule SIDs 58635 and 58636 will keep users protected from this vulnerability.

By updating their SRU Cisco Secure Firewall, customers should use the latest update to their ruleset.

By downloading the latest rule pack, the Open-source Snort Subscriber Rule Set customers can stay up to date.

So, the customers, partners, and those who manage networks strongly recommend deploying these rules as soon as possible.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.