Security News > 2021 > December > Windows 'InstallerFileTakeOver' zero-day bug gets free micropatch

The vulnerability affects all Windows versions, including Windows 11 and Windows Server 2022, and it can be exploited by attackers with limited local accounts to escalate privileges and run code with admin rights.

Mitja Kolsek, the co-founder of the 0patch service that delivers hotfixes that don't require system reboots, explains that the issue stems from the way Windows installer creates a Rollback File that allows restoring the data deleted or modified during the installation process.

At one point, Windows changes the location of the RBF file from "Config.msi" to the temporary folder and modifies its permissions to allow user write access.

"Abdelhamid noticed that a symbolic link can be created in place of the incoming RBF file, which will result in moving the RBF file from C:WindowsInstallerConfig.msi to some other user-chosen file on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user" - Kolsek says in a blog post last week.

The micropatch is free and it works on Windows 7 ESU, Windows 10, Server 2008 ESU/2012/2016/2019.

"The code Naceri released leverages the discretionary access control list for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator" - Cisco Talos.

News URL

https://www.bleepingcomputer.com/news/security/windows-installerfiletakeover-zero-day-bug-gets-free-micropatch/