Windows ‘InstallerFileTakeOver’ Bug Micropatch Is Now Out

Share post:

An unofficial patch has been released for a zero-day vulnerability that is actively exploited to gain administrator privileges.

Proof-of-concept (PoC) exploit code that runs out of the box has been published for the current release, known as the “InstallerFileTakeOver” bug.

The vulnerability affects all versions of Windows and can be exploited by attackers with limited local accounts to escalate privileges and execute code with full admin privileges.

Abdelhamid Naceri, researcher and creator of the Poc, discovered the bug while analyzing the patch for another privilege escalation bug he reported to Microsoft and which is currently being tracked as CVE-2021-41379.

Naceri found that Microsoft’s fix was incomplete, allowing code to be executed with administrator privileges. He also explained that the new variant, which does not yet have a CVE identifier, “is more powerful than the original one.”

Mitja Kolsek, co-founder of the 0patch service, which offers hotfixes that do not require a reboot of the system, says that the error stems from the way the Windows installer creates a Rollback File (.RBF) that enables restoring the data that has been changed or deleted during the installation process.

The 0Patch code checks that there are no junctions or links in the destination path of the RBF file. Otherwise, it will block the movement of the file to eliminate the risk of exploitation.

The micropatch is free and works on Windows 7 ESU, Windows 10, Server 2008 ESU/2012/2016/2019, with a published video demonstrating what the micropatch does.

The 0Patch correcting code is a temporary solution with the aim of insulating systems until Microsoft provides a permanent patch for the problem, which has not yet happened.

At the moment, the best defense is to run the 0Patch temporary fix, which can be used without any need to restart the machine.

For more information, you may view the original story from Bleeping Computer.



Related articles

Microsoft announces enhanced security feature for OneNote

Microsoft has released further information on the increased security measures it is deploying for OneNote in order to...

Russian hacker group steals Emails of NATO officials and diplomats

Since February 2023, a Russian hacking gang known as TA473 or 'Winter Vivern' has targeted unpatched Zimbra endpoints...

Canadian cybersecurity accelerator counts its accomplishments

A Canadian university-associated business accelerator for helping early-stage cybersecurity companies says its first two years of operation have been more than satisfactory. The Rogers Cybersecure Catalyst Accelerator has had “an incredible impact” on Canadian cybersecurity entrepreneurs and founders, executive director Charles Finlay said this week in the first report on the program’s progress. Despite having

Crackdown on ransomware gangs yet to show an impact: OpenText

In its annual cybersecurity report OpenText also looked at malware, phishing and infec

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways