Security News > 2021 > November > Warning — Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild

Attackers are actively making efforts to exploit a new variant of a recently disclosed privilege escalation vulnerability to potentially execute arbitrary code on fully-patched systems, once again demonstrating how adversaries move quickly to weaponize a publicly available exploit.
Tracked as CVE-2021-41379 and discovered by security researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Windows Installer software component was originally resolved as part of Microsoft's Patch Tuesday updates for November 2021.
In what's a case of an insufficient patch, Naceri found that it was not only possible to bypass the fix implemented by Microsoft but also achieve local privilege escalation via a newly discovered zero-day bug.
The proof-of-concept exploit, dubbed "InstallerFileTakeOver," works by overwriting the discretionary access control list for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI installer file, allowing an attacker to run code with SYSTEM privileges.
An attacker with admin privileges could then abuse the access to gain full control over the compromised system, including the ability to download additional software, and modify, delete, or exfiltrate sensitive information stored in the machine.
"Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11. The prior patch MS issued didn't fix the issue properly," tweeted security researcher Kevin Beaumont, corroborating the findings.
News URL
https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html
Related news
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)
- Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices (source)
- ⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More (source)
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-11-10 | CVE-2021-41379 | Link Following vulnerability in Microsoft products Windows Installer Elevation of Privilege Vulnerability | 0.0 |