Summary
On 22/11, security researcher Abdelhamid Naceri publicly disclosed a new zero-day vulnerability for “Windows Installer Elevation of Privilege”, which Microsoft had attempted to patch in November 2021, under CVE-2021-41379.
The patch released by Microsoft in early November has inadvertently harboured a new, more powerful zero-day privilege elevation vulnerability.
Proof of concept for this new exploit has been published on GitHub, which explains that it works on all supported versions of Windows, including Windows 10, 11 and Server 2022.
The researcher explains this “more powerful” variant was identified when testing Microsoft’s patch for the original vulnerability and has decided to publicly disclose this in protest of Microsoft’s reduced payments to Bug Bounty Program researchers.
Vulnerable versions:
- All supported versions of Windows, including Windows 10, 11 and Server 2022.
Recommendation(s):
Currently, there are no published workarounds or mitigations for this new exploit. Our security partners are aware of this and will continue to monitor for any further updates.
Full Details and References
- https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk