close
close

topicnews · September 13, 2024

Windows Installer opens the way for attackers

Windows Installer opens the way for attackers

A security company has now published information about another zero-day vulnerability that was removed with the most recent Microsoft patch day. The security hole worked via the Windows Installer, which gave code excessive rights.

SYSTEM rights for attackers

The vulnerability, noted as CVE-2024-38014, was discovered by security firm SEC Consult and confidentially reported to Microsoft. SEC Consult has now published the details of this vulnerability and provided an open source tool that scans systems for potentially dangerous installation files.

Microsoft confirmed that the vulnerability is already being actively exploited. To close this security hole, Microsoft has introduced a User Account Control (UAC) prompt that is activated before the design flaw can be abused. This requires the user to have administrator rights to perform the action, effectively closing the path to unauthorized privilege granting.

Security researcher Michael Baer of SEC Consult discovered the vulnerability back in January. However, fixing it proved complex and Microsoft asked for more time to close the gap with a patch. The security hole was originally supposed to be fixed in May, but technical challenges delayed the release until September. In a blog post, Baer has now explained in detail how the attack works.

The attack occurs when a low-privileged user opens an installation package to repair already installed software on a vulnerable Windows system. The attacker takes advantage of a brief window during the repair process, which runs with full SYSTEM privileges, to take over these privileges and thus gain more control over the system.

Script helps

The attack is made possible by the user manipulating a console window that appears briefly during the repair process. By quickly clicking on the top bar of the window and selecting “Properties”, the user can prevent the window from disappearing and, in a further step, open a command line with SYSTEM rights.

However, SEC Consult points out that the attack does not work with newer versions of Edge or Internet Explorer. In addition, not all .msi files are vulnerable. To make it easier to manually check the installation packages, SEC Consult has developed a Python-based tool called “msiscan” that performs the check automatically.

Summary

  • Zero-day vulnerability in Windows Installer discovered and fixed
  • CVE-2024-38014 was discovered by SEC Consult and reported by Microsoft
  • Microsoft introduced UAC prompt to prevent abuse
  • The vulnerability was discovered in January and the fix was delayed until September
  • Attack by manipulating a console window during repair
  • SEC Consult releases Python tool “msiscan” to check .msi files
  • Latest browser versions of Edge and IE are not affected

See also:

You may also like...