Pesky Zero-Day Exploit Grants Admin Access To Any Windows User, Evades Microsoft Security Patch
Server admins and security-heads take note: there's a new Windows zero-day that's like leaving the key in the lock. It just requires access to any standard user account, and provides administrative privileges with the execution of a single application. There's pretty much no defense against it as it stands, so keep anyone you don't trust implicitly away from your systems.
All currently-supported Windows platforms are affected, including Windows 11 and all extant server versions, even with the latest patches. The exploit works by taking over some privileged functions within the Windows Installer, although it can also apparently go through a built-in Microsoft Edge elevation service, too. Microsoft already attempted to patch this exploit once, but was apparently unsuccessful.
On Github, where the example code resides, the author writes that the exploit works even on systems where group policy is configured (as it is by default on Server editions) not to allow standard users to initiate the Microsoft Installer. He notes that "the administrative install thing seems to be completely bypassing group policy." Not a great look for Microsoft right now.
The author also notes that the proof of concept is "extremely reliable," and "doesn't require anything." Apparently, he had already created an earlier version of the hack that worked to bypass Microsoft's attempts to patch it, yet the released version is a more robust variant of that hack. Further still, he says that he has yet another variant to drop once Microsoft patches this one.
We haven't tried the example code ourselves, but BleepingComputer took the bullet and confirmed that it works on a fully-patched Windows 10 21H1 build. They have a demo video in their blog post. Reaching out to the author, they questioned his immediate release of the zero-day vulnerability, rather than the normal industry procedure of disclosing it to the vendor for a bounty. He responded that he wouldn't have done it if Microsoft hadn't "trashed" its bug bounties.
Ultimately, the best option for everyone seems like it's going to have to be waiting on Microsoft to release a patch. The author facetiously says, "any attempt to patch the binary will break [the] Windows Installer, so you better wait and see how Microsoft will screw the patch again." Comical tone aside, this is a serious exploit, so hopefully Redmond can get this fixed up sooner than later.
