Thursday, August 18, 2022
HomeTechnologyNew Windows zero-day with public exploit lets you become an admin -...

New Windows zero-day with public exploit lets you become an admin – BleepingComputer

Microsoft warns of easy Windows domain takeover via Active Directory bugs
UK govt shares 585 million passwords with Have I Been Pwned
FBI: State hackers exploiting new Zoho zero-day since October
Log4j vulnerability now used to install Dridex banking malware
Fix your home Wi-Fi with this 4.3 Gbps mesh router, now just $245
Microsoft warns of easy Windows domain takeover via Active Directory bugs
Meta sues people behind Facebook and Instagram phishing
FBI: State hackers exploiting new Zoho zero-day since October
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Windows vulnerability
A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges.
Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.
The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
As part of the November 2021 Patch Tuesday, Microsoft fixed a ‘Windows Installer Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2021-41379.
This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft’s fix.
Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.
“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass,” explains Naceri in his writeup. “I have chosen to actually drop this variant as it is more powerful than the original one.”
Furthermore, Naceri explained that while it is possible to configure group policies to prevent ‘Standard’ users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway.
BleepingComputer tested Naceri’s ‘InstallerFileTakeOver’ exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with ‘Standard’ privileges, as demonstrated in the video below.
The test was performed on a fully up-to-date Windows 10 21H1 build 19043.1348 install.
When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft’s decreasing payouts in their bug bounty program.
“Microsoft bounties has been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties,” explained Naceri.
Naceri is not alone in his concerns about what researchers feel is the reduction in bug bounty awards.
Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 
BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair! @msftsecresponse
Microsoft told BleepingComputer that they are aware of the public disclosure for this vulnerability.
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine.” – a Microsoft spokesperson.
As is typical with zero days, Microsoft will likely fix the vulnerability in an upcoming Patch Tuesday update.
However, Naceri warned that it is not advised for third-party patching companies to try and fix the vulnerability by attempting to patch the binary as it will likely break the installer.
“The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability,” explained Naceri.
“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.”
Since publishing this story, Cisco Talos researchers have discovered that threat actors have begun to abuse this vulnerability with malware.
“During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit,” Cisco Talos’ Head of Outreach Nick Biasini told BleepingComputer
“Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit.”
Update 11/23/21  – Added statement from Microsoft.
Update 11/24/21 – Updated story about the zero-day being used in malware attacks.

Windows ‘InstallerFileTakeOver’ zero-day bug gets free micropatch
Malware now trying to exploit new Windows Installer zero-day
Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
I fail to understand why anyone would seek a bug bounty from Microsoft in the first place

They simply maintain Monopoly Control from your hard work so they don’t have to work

Stop paying for your own enslavement!

A bug bounty is where a company (such as Microsoft) pays you for reporting a vulnerability. If you don’t want to do it, then that’s OK, because there are plenty of people who enjoy earning tons of money from companies for helping them discover their security issues.
The complaints in the story indicate they are NOT making tons of money?

Didn’t you read that far?

@Some-Other-Guy Microsoft has apparently reduced some of their payouts for reported vulnerabilities, however it didn’t say all of them.
Bug bounty has at least some revenue.. I agree with you and the worst is Windows “Insider” aka unpayed betatester. People are blind..
I guess ethics don’t mean much to Naceri.
Very True!

You have to guess that ethics don’t mean much to Naceri.

With Microsoft, there is no need to guess
This Exploit was unknown, Until You post it @BleepingComputer
You think threat actors are going to bleeping computer for their zero days? This article helps make defenders aware. @pjeganat
Closing your eyes will not mean that the Exploint does not exist.
In some ways, I think it is good that the information about Exploits is shown to the “public”. This forces the responsible companies to act.
best regards
// MisterVVV
No such vulnerability if you purged Edge from your system and use another browser
because it’s an Edge elevation / update services exploit foremost.
And it’s finally detected by the dumb Defender with all the fancy Cloud, ATP, Core Isolation..
..2 days later
No such vulnerability if you purged Edge from your system

I would love to be able to get rid of “Edge” permanently but as usual MS keeps shoving it in our faces insisting that we like it .

If you know a way to permanently remove it and not have it come back please reveal the method.

Thank you kindly
that linked reddit post works. it does not come back

Switch to GNU/Linux and you wont be slave anymore. You dont need Windows. Windows needs you.
The release build (32bit) from Naceri doesn’t appear to work on a 64bit system unless IIS is installed. True for others testing the concept and how systems may be compromised?
Zero-day? Was it found being actively exploited in the wild?
No? Not a zero-day.
A vulnerability does not have to be actively exploited to be a zero-day. It just needs to be publicly disclosed without an available patch.

As for it being abused, yes, it has now been detected used by malware.
How can I stop my browser from redirecting .

This is a bounty account take over or something, someone reporting my device usage using targeted advertising, they are also on my google account , everything I do, he monitors and report it very wrongly causing me and my usage difficulty
Hello all,
is there a new CVE for this exploit, so that we can find it on Microsoft MSRC?
Also is there a security patch released for this?

Not a member yet? Register Now
New stealthy DarkWatchman malware hides in the Windows Registry
Microsoft warns of easy Windows domain takeover via Active Directory bugs
To receive periodic updates and news from BleepingComputer, please use the form below.
Malwarebytes for Mac
Malwarebytes Anti-Malware
Farbar Recovery Scan Tool
Windows Repair (All In One)
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments