Category: security

“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass,” explains Naceri in his writeup. “I have chosen to actually drop this variant as it is more powerful than the original one.” Furthermore, Naceri explained that while it is possible to configure group policies to prevent ‘Standard’ users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway. BleepingComputer tested Naceri’s ‘InstallerFileTakeOver’ exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with ‘Standard’ privileges, as demonstrated in [this video]. When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft’s decreasing payouts in their bug bounty program. A Microsoft spokesperson said in a statement: “We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine.”

Naceri recommends users wait for Microsoft to release a security patch, as attempting to patch the binary will likely break the installer.