Windows Installer Flaw is Being Actively Exploited
Attackers are actively exploiting an inadequately patched flaw in Microsoft Windows Installer to gain admin rights on vulnerable systems. Microsoft released a fix for the medium-severity privilege elevation flaw in November’s Patch Tuesday release, but the researcher who initially detected the flaw has detected a more serious variant. The vulnerability affects all versions of Windows.
Not much you can do about this right now. But remember, that this is “just” a privilege escalation flaw. Sadly, privilege escalation flaws are common enough to always assume that there are a few being exploited for which no patch is available.
This is a great example of where vulnerability management and purple teams will provide value added to the organization. The VM team should be on top of situations like this where a patch doesn't completely remediate the vulnerability. The purple team should be ready to assist in crafting detections that align with the organization's telemetry. For those with neither team, know that this is a Local Privilege Escalation (LPE) vulnerability and can only be triggered by a threat actor who already has gained execution on the system. It also poses increased risks for insider threats who might seek to elevate their privileges.
The flaw allows for privilege escalation using an existing account. While the long-term fix is another update from Microsoft, in the short term you can leverage the Snort rule SSID’s 5865 and 58636 to block exploitation. Note these are in the Snort Subscriber Ruleset, not the free Community Ruleset.
Pen testers: it's good to exploit these types of flaws, but do consider what your recommendation is beyond, “Implement patch when available.” What detections can you recommend? What possible follow-on actions might defenders look for? Are there other compensating controls (specific to their environment) that can lessen the frequency or severity of privilege escalation vulnerabilities like this one?