The situation

Following an update, the Microsoft Software Installer is left vulnerable, affecting all Microsoft versions. Providing an opportunity for threat actors to escalate privileges and execute code as the system operator. Given the nature of the MSI, it’s remediation will be a priority. However, at this point there is currently no timeline on the fix being rolled out to the stable channel. Read on to learn what you need to do now.

Technical summary

Title of threat: Microsoft Zero Day Vulnerability “InstallerFileTakeOver”.
Date threat first identified: 22/11/2021 by Abdelhamid Nacer
Associated CVE Number(s): CVE-2021-41379
Risk Severity: Critical

  • The Microsoft Software Installer (MSI) is vulnerable following the update.
  • Affecting all supported Windows versions (Windows 7, Windows 8.1, Windows 10, Windows 11 and Windows Server 2008-2022.
  • A patch released for Windows 11 did not fix the issue properly. Given the nature of the MSI this fix will be a priority, but at this point there is currently no timeline on the fix being rolled out to the stable channel.

Risk to the customer

Applications dependent on MSI “may” fail to update or have unpredictable results.  The MSI vulnerability itself could be used to delete files or directories. Furthermore, the vulnerability could be used to escalate privileges and execute code as SYSTEM.

What you need to do

If you are lucky enough to have not applied the update yet, then hold off. If you have applied the update, then remove it and await the next Security Patch from Microsoft:

  1. In Windows Desktop Search type ‘update history’ then click ‘View your Update history’
  2. Select ‘Uninstall Updates’
  3. On the Installed Updates dialog window, find and select KB5007215, click the Uninstall button
  4. Restart
External supporting references (URL, IOCs etc):