• 0Patch released a fix for Windows “InstallerFileTakeOver” 0day

    Home » Forums » AskWoody support » Windows » Windows 10 » Windows 10-other » 0Patch released a fix for Windows “InstallerFileTakeOver” 0day

    Author
    Topic
    #2404432

    https://blog.0patch.com/2021/12/free-micropatches-for.html

    Wow, this is the third 0day found by the same researcher we’re patching in the last two weeks.

    Abdelhamid Naceri, a talented security researcher, has been keeping us busy with 0days this year. In January we micropatched a local privilege escalation in Windows Installer they had found (already fixed by Microsoft), and in the last two weeks we fixed an incompletely patched local privilege escalation in User Profile Service and a local privilege escalation in Mobile Device Management Service (still 0days at the time of this writing).

    Ten days ago, Abdelhamid tweeted a link to their GitHub repository containing a proof of concept for another unpatched vulnerability in Windows Installer. The vulnerability allows a local non-admin user to overwrite an existing file to which they do not have write access, and then arbitrarily change its content. This can easily be turned into local privilege escalation by overwriting a trusted system executable file with one’s own code – as demonstrated by Abdelhamid’s POC, which launches a command line window as Local System.

    According to Cisco Talos, this vulnerability is being exploited in the wild. ..

    Note that Abdelhamid’s POC also works on Windows 11 and likely Windows Server 2022, but we don’t support these Windows versions yet.

    Micropatches for this vulnerability will be free until Microsoft has issued an official fix

    3 users thanked author for this post.
    Viewing 1 reply thread
    Author
    Replies
    • #2404445

      Hopefully we see more info about Windows 7 systems without the ESU appearing to not be vulnerable.

      If non-ESU systems are unaffected, it raises a couple questions.

      How does having the ESU make a difference one way or the other?

      Could the ESU standalone installer cause the same issue?

      • #2404490

        The 0-day bug might be in recent Microsoft patches.

        • #2404493

          So it comes down more to actually having the ESU patches installed rather than how they were installed?

          Am I understanding this correctly?

        • #2404629

          No.

          The bug is with Windows Installer so patching Win 7 turns the OS vulnerable.

          1 user thanked author for this post.
        • #2404649

          Ok, that’s why the wording in the 0Patch blog didn’t make sense (to me) then.

          I was reading it as the the bug was part of the patches themselves, not the Windows Installer.

          If Windows Installer was mentioned, I just didn’t see it.

          I’ve seen a comment on the gHacks article about this saying that the bug isn’t really that bad because it requires physical access to be used. Is there any possible truth to this?

    • #2404683

      I’ve seen a comment on the gHacks article about this saying that the bug isn’t really that bad because it requires physical access to be used. Is there any possible truth to this?

      It does need a access which could be physical, remote, hacked…

      1 user thanked author for this post.
    Viewing 1 reply thread
    Reply To: Reply #2404683 in 0Patch released a fix for Windows “InstallerFileTakeOver” 0day

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Cancel