An unpatched vulnerability in the way Windows handles installer files could put systems at risk of attack.
Researcher Adrian Denkiewicz reported how the installation process in Windows 11 could be gamed to allow an attacker to elevate privileges and possibly take over a vulnerable system.
The problem, said Denkiewicz, stems from the way Windows handles permissions for installer (.msi) files. Without appropriate checks, installers are able to execute actions that would otherwise be forbidden under non-administrator accounts.
Those custom actions are able to circumvent normal account protections as they are considered essential for the installation of software. This, in turn, can be taken advantage of to carry out malicious activities.
“Custom Actions are necessary in scenarios where the built-in capabilities of Windows Installer are insufficient,” the researcher explained.
“For example, if an application requires specific registry keys to be set dynamically based on the user’s environment, a Custom Action can be used to achieve this.”
In short, the Custom Actions can be manipulated by a threat actor to activate functions that would otherwise be off-limits for basic user accounts. This would, in turn, result in an elevation of privilege condition where the local user could gain administrator access and install any variety of unchecked malware.
The vulnerability is not a recent revelation. Denkiewicz reported the issue to Redmond late last year, only to be strung out for several months and have the vulnerability report dismissed as not being replicable on currently patched systems.
Microsoft did not respond to a request for comment on the matter.
If there is one redeeming factor on the disclosure, it is that the flaw is not a remotely exploitable vulnerability. Any threat actor who would seek to exploit the installer bug would have to already obtained local access (ie, run code on the target system).
That means a significant amount of social engineering would have to take place before the automated exploit could run.
“The MSI file utilizing a vulnerable Custom Action must be already installed on the machine. However, the issue could be handy to pentesters performing Local Privilege Elevation or as a persistence mechanism.”
