Hackers already exploiting InstallerFileTakeOver Windows zero-day

by Surur
November 23, 2021

We reported yesterday that a security researcher has released a very simple privilege escalation exploit for all supported versions of Windows.

Naceri’s exploit easily elevates a regular user to System privileges, as can be seen in BleepingComputer’s video below:

The ‘InstallerFileTakeOver’ exploit works on Windows 10, Windows 11, and Windows Server and can be chained with other exploits to fully take over a computer network.

In a statement Microsoft played down the risk, saying:

“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine.”

Now BleepingComputer reports that hackers have already started exploring the hack.

“Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability,” said Jaeson Schultz, Technical Leader for Cisco’s Talos Security Intelligence & Research Group.

The hackers appear to still be in the development phase of their malware.

“During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit,” said Cisco Talos’ Head of Outreach Nick Biasini. “Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit.”

Naceri, who released the proof of concept code for the zero-day, told BleepingComputer he did this due to Microsoft’s decreasing payouts in their bug bounty program.

“Microsoft bounties has been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties,” explained Naceri.

With the line between security researchers and malware authors being very thin, Microsoft may want to re-evaluate their bug bounty strategy going forward.

via BleepingComputer

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}