Microsoft missed a zero-day vulnerability that put billions of computers at risk

According to a security researcher, billions of Windows computers are potentially at risk because of a zero-day vulnerability that Microsoft did not carefully patch.

This vulnerability is currently only a proof-of-concept (feasibility test), has not been put into practice, but the security researcher believes that only a few small tweaks can lead to it. used for large-scale attacks.

The vulnerability takes advantage of a bug in Windows Installer (CVE-2021-41379) that Microsoft said it patched earlier this month, which the BleepingComputer site has tested and can be used to open the CMD tool with SYSTEM privileges from an account that only has a ordinary rights. Bad guys can use this permission to run any executable file on the machine with the MSI file to run the code as admin. This process takes only a few seconds.

Although there is nothing to worry about at this time, if it were to spread, billions of computers could be at risk. This exploit gives attackers admin rights on both Windows 10 and Windows 11. However, this is not a remotely exploitable vulnerability, so bad actors need to gain access to the device to do it. .

Abdelhamid Naceri, who discovered the vulnerability, said that he decided to publicize the bug instead of sending a warning to Microsoft in advance because he wanted to protest against Microsoft’s reduction of the reward amount for those who find Windows bugs.

Microsoft is now aware of the vulnerability but has not provided a release schedule for the fix. Naceri also advises third parties not to issue patches themselves, as doing so will cause Windows Installer to malfunction.

References: Gizmodo, XDA Developers