Chiphell - 分享与交流用户体验

 找回密码
 加入我们
搜索
      
查看: 3598|回复: 1

[安全相关] 修了,但没完全修好!MS的CVE-2021-41379补丁未能完全修复漏洞

[复制链接]
发表于 2021-11-25 14:17 | 显示全部楼层 |阅读模式
本帖最后由 埃律西昂 于 2021-11-25 14:43 编辑
来源:TechSpot
原英文标题:《New zero-day vulnerability in Windows Installer affects all versions of Microsoft's OS》


Microsoft already launched an update to address the vulnerability, but it wasn't enough to solve the issue

Computer security group Cisco Talos has found a new vulnerability that affects every Windows version to date, including Windows 11 and Server 2022. The vulnerability exists in the Windows Installer and allows hackers to elevate their privileges to become an administrator.


The discovery of this vulnerability led the Cisco Talos group to update its Snort rules, which consists of rules to detect attacks targeting a list of vulnerabilities. The updated list of rules includes the zero-day elevation of privilege vulnerability, as well as new and modified rules for emerging threats from browsers, operating systems and network protocols, among others.

Exploiting this vulnerability allows hackers with limited user access to elevate their privileges, acting as an administrator of the system. The security firm has already found malware samples out on the Internet, so there's a good chance someone already fell victim to it.

The vulnerability had been previously reported to Microsoft by Abdelhamid Naceri, a security researcher at Microsoft, and was supposedly patched with the fix CVE-2021-41379 on November 9. However, the patch didn't seem to be enough to fix the issue, as the problem persists, leading Naceri to publish the proof-of-concept on GitHub.



In simple terms, the proof-of-concept shows how a hacker can replace any executable file on the system with an MSI file using the discretionary access control list (DACL) for Microsoft Edge Elevation Service.

Microsoft rated the vulnerability as "medium severity," with a base CVSS (Common Vulnerability scoring system) score of 5.5 and a temporal score of 4.8. Now that a functional proof-of-concept exploit code is available, others could try to further abuse it, possibly increasing these scores. At the moment, Microsoft has yet to issue a new update to mitigate the vulnerability.

Naceri seems to have tried to patch the binary himself, but with no success. Until Microsoft patches the vulnerability, the Cisco Talos group recommends those using a Cisco secure firewall to update their rules set with Snort rules 58635 and 58636 to keep users protected from the exploit.

中文机翻:
‎‎计算机安全组织Cisco Talos发现了一个新的漏洞,该漏洞影响了迄今为止的每个Windows版本,包括Windows 11和Server 2022。该漏洞存在于 Windows 安装程序中,并允许黑客提升其权限以成为管理员。‎

这个漏洞的发现导致思科Talos集团‎‎更新‎‎了其‎‎Snort规则‎‎,该规则由检测针对漏洞列表的攻击的规则组成。更新后的规则列表包括零日特权提升漏洞,以及针对来自浏览器、操作系统和网络协议等新出现的威胁的新规则和修改后的规则。‎

‎利用此漏洞,用户访问权限有限的黑客可以提升其权限,充当系统的管理员。这家安全公司已经在互联网上发现了恶意软件样本,所以很有可能有人已经成为它的受害者。‎

‎该漏洞之前已由微软的安全研究员Abdelhamid Naceri报告给微软,据称已于11月9日使用修复程序CVE-2021-41379进行修补。但是,由于问题仍然存在,该补丁似乎不足以解决此问题,导致Naceri在‎‎GitHub‎‎上发布了概念验证。

‎简单来说,概念验证显示了黑客如何使用 Microsoft 边缘提升服务的任意访问控制列表 (DACL) 将系统上的任何可执行文件替换为 MSI 文件。‎

‎Microsoft 将该漏洞评为"中等严重性",基本 CVSS(常见漏洞评分系统)得分为 5.5,时间得分为 4.8。现在,一个功能性的概念验证漏洞利用代码已经可用,其他人可能会试图进一步滥用它,可能会增加这些分数。目前,微软尚未发布新的更新来缓解该漏洞。‎

‎Naceri似乎试图自己修补二进制文件,但没有成功。在 Microsoft 修补此漏洞之前,Cisco Talos 小组建议使用思科安全防火墙的用户更新其使用 Snort 规则 58635 和 58636 设置的规则,以保护用户免受攻击。‎
 楼主| 发表于 2021-11-29 21:17 | 显示全部楼层
本帖最后由 埃律西昂 于 2021-11-29 21:18 编辑

艹,这漏洞相关的故事也太狗血了,如果公众号没瞎编的话。
MS眼中Windows的安全性原来这么不值钱的么?!
您需要登录后才可以回帖 登录 | 加入我们

本版积分规则

小黑屋|手机版|Archiver|Chiphell ( 沪ICP备12027953号-5 )沪公网备310112100042806 上海市互联网违法与不良信息举报中心

GMT+8, 2021-12-7 23:48 , Processed in 0.006085 second(s), 8 queries , Gzip On, Redis On.

Powered by Discuz! X3.4

© 2007-2021 Chiphell.com All rights reserved.

快速回复 返回顶部 返回列表