fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows ‘InstallerFileTakeOver’ Zero-day Bug Gets Free Micropatch

Windows ‘InstallerFileTakeOver’ Zero-day Bug Gets Free Micropatch

An unofficial patch is available for a zero-day vulnerability that is actively exploited in the wild to gain administrator privileges.

Proof-of-concept (PoC) exploit code that works out of the box has been published for this issue, which is referred to as the “InstallerFileTakeOver” bug.

The vulnerability affects all Windows versions, including Windows 11 and Windows Server 2022, and it can be exploited by attackers with limited local accounts to escalate privileges and run code with admin rights.

Also Read: Don’t Be Baited! 5 Signs of Phishing in Email

Unpatched bug in Windows Installer

Abdelhamid Naceri, the researcher who created the Poc, found the issue when analyzing the patch for another privilege escalation bug that he reported to Microsoft, currently tracked as CVE-2021-41379.

He discovered that Microsoft’s fix was incomplete, leaving room for exploitation to run code with administrator privileges. Naceri also noted that the new variant, which has not yet received a CVE identifier, “is more powerful than the original one.”

Mitja Kolsek, the co-founder of the 0patch service that delivers hotfixes that don’t require system reboots, explains that the issue stems from the way Windows installer creates a Rollback File (.RBF) that allows restoring the data deleted or modified during the installation process.

At one point, Windows changes the location of the RBF file from “Config.msi“ to the temporary folder and modifies its permissions to allow user write access.

“Abdelhamid noticed that a symbolic link can be created in place of the incoming RBF file, which will result in moving the RBF file from  C:\Windows\Installer\Config.msi to some other user-chosen file on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user” – Kolsek says in a blog post last week.

Also Read: 4 Reasons to Outsource Penetration Testing Services

The code from 0Patch checks that there are no junctions or links in the destination path of the RBF file; otherwise, it blocks the moving of the file to eliminate the risk of exploitation.

The micropatch is free and it works on Windows 7 ESU, Windows 10, Server 2008 ESU/2012/2016/2019. A video published earlier this month shows it in action

To note, the 0Patch correcting code is a temporary solution aimed at keeping systems safe until Microsoft releases a permanent patch for the issue, which has yet to happen.

Talking to BleepingComputer, Naceri said that he released the proof-of-concept (PoC) exploit for this unsolved issue without informing Microsoft of his findings.

Taking this approach was influenced by his previous experience with reporting the CVE-2021-41379 and other vulnerabilities to Microsoft, for which the researcher believes deserved more than just a “thank you” from the company.

Until Microsoft rolls out a fix for this problem, threat actors have a new method to increase their privileges on a compromised Windows computer and they are not wasting any time.

A threat advisory from Cisco Talos last month warned that adversaries are using malware samples that try to leverage the new vulnerability discovered by Naceri.

“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator” – Cisco Talos

For now, the best defense users have is to run the 0Patch temporary fix, which is applied on the fly and does not require restarting the machine.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us