In short: The Cisco Talos computer security team has discovered a new vulnerability that affects all versions of Windows today, including Windows 11 and Server 2022. This vulnerability exists in Windows Installer and allows hackers to elevate their privileges to become an administrator.
The discovery of this vulnerability led the Cisco Talos group Refresh this is Snort rules, which consists of attack detection rules aimed at a list of vulnerabilities. The updated rule list includes a zero-day privilege escalation vulnerability, as well as new and revised rules for new threats from browsers, operating systems, and network protocols, among others.
Exploiting this vulnerability allows hackers with limited user access to escalate their privileges by acting as a system administrator. The security firm has already found malware samples on the Internet, so there is a good chance that someone has already fallen victim to it.
The vulnerability was previously reported to Microsoft by Abdelhamid Naseri, a security researcher at Microsoft, and was allegedly fixed on November 9 with the CVE-2021-41379 hotfix. since the issue persists, Naseri posted a proof of concept on Github…
Simply put, a proof of concept shows how a hacker can replace any executable file on a system with an MSI file using the Discretionary Access Control List (DACL) for the Microsoft Edge Elevation Service.
Microsoft rated the vulnerability as “medium severity” with a CVSS (Common Vulnerability Scoring System) baseline rating of 5.5 and an interim rating of 4.8. Now that a functional exploit verification code is available, others may try to use it further, possibly increasing those scores. At this time, Microsoft has yet to release a new update to address the vulnerability.
It looks like Naseri tried to fix the binary himself, but was unsuccessful. Until Microsoft fixes the vulnerability, the Cisco Talos team recommends that those using the Cisco secure firewall update their ruleset with Snort rules 58635 and 58636 to protect users from the exploit.