Microsoft Windows Installer Zero-Day Vulnerability (CVE-2021-41379) Alert
Microsoft has invested a lot of money in security research. Of course, there is also a detailed bug bounty program to delimit the maximum bounty limit for researchers submitting vulnerabilities.
In April 2020, Microsoft adjusted the bounty bug program, and the bugs discovered by researchers changed from the original reward of $10,000 to $1,000.
The researcher complained about Microsoft’s stinginess and then directly disclosed the details of the vulnerability. Recently, a researcher publishes the PoC of the Microsoft Windows Installer zero-day vulnerability (CVE-2021-41379). Using the vulnerability, an attacker could escalate to administrator privileges on the target device.
For example, in a corporate environment, employees use ordinary accounts assigned by administrators. Through this vulnerability, employees can elevate their permissions to administrators to perform other operations.
The affected operating systems include Windows 10, Windows 11, and Windows Server series server operating systems, so the harm is not low.
In response to this incident, Microsoft issued a statement stating that the company has been aware of the disclosure of this vulnerability and is currently taking necessary measures to ensure the safety and protection of customers.
Microsoft said that an attacker who wants to use the above method must already have access rights and be able to run code on the target victim’s device to complete the privilege escalation.
But having said that, this kind of privilege escalation vulnerability is not actually harmful, and Microsoft may already be making a fix to plug the vulnerability in time.
This vulnerability may be more harmful to the internal environment of the enterprise, mainly because the hacker can perform more complex operations to complete the attack after the authority is elevated to the administrator.
For example, when a device is infected and elevated to administrator privileges, hackers may be able to spread laterally in the intranet through other means to infect more devices.
After the researchers made the vulnerability public, the keen hacker seemed to see an opportunity. “Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability,” said Jaeson Schultz, Technical Leader for Cisco’s Talos Security Intelligence & Research Group.
Cisco said that several samples that attempted to exploit this vulnerability have been identified in the investigation, but due to the small number, this may just be a hacker’s proof of concept.
If Microsoft does not fix the vulnerability in time, it is very likely that the vulnerability will be weaponized. There is no doubt that more hackers will try to exploit it every day.
However, Microsoft has not issued a statement on the bug bounty program. After this incident, it is not known whether Microsoft will consider revising the previously revised bounty program.