Skip links

McAfee Enterprise Defender Blog | Windows Zero-Day – CVE-2021-41379

Threat Summary

This month it was disclosed that a Microsoft vulnerability that allows for local privilege elevation, previously patched in the November 2021 Patch Tuesday, is still exploitable and was not patched correctly. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.

Figure 1. MITRE ATT&CK Matrix for Windows Zero-Day in MVISION Insights

The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. At the time of writing, Microsoft has not released any updates or out-of-band patches to resolve it.

CVE-2021-41379 – Microsoft Windows Installer Elevation of Privilege Vulnerability

Bleeping Computer: New Windows zero-day with public exploit lets you become an admin

Bleeping Computer: Malware now trying to exploit new Windows Installer zero-day

McAfee Enterprise Protections and Global Detections

McAfee Enterprise Global Threat Intelligence is currently detecting all known proof of concept exploits for this zero-day vulnerability as malicious.

Blocking Exploitation Attempts with McAfee Enterprise ENS

McAfee Enterprise Endpoint Security (ENS) is currently detecting exploitation attempts and will quarantine the tools utilized to exploit this vulnerability as shown below.

Figure 2. Story Graph summary of exploitation detection by McAfee Enterprise ENS shown in MVISION ePO

Detecting Exploitation Activity with MVISION EDR

MVISION Endpoint Detection and Response (EDR) is currently alerting to the activity of this exploitation as malicious and will note the MITRE techniques and any suspicious indicators related to the exploit attempts.

Figure 3. Detection of zero-day exploitation activity and techniques in MVISION EDR

Threat Intelligence for Exploitation IOCS with MVISION Insights

MVISION Insights will provide the current threat intelligence and known indicators for exploitation of this vulnerability. MVISION Insights will also alert to detections that have been observed, and systems that require additional attention, to prevent widespread infection. MVISION Insights will also include Hunting Rules and Campaign Connections for threat hunting and further intelligence gathering of the threat activity and adversary.

MVISION Insights Campaign: New Windows Zero-Day CVE-2021-41379 With Public Exploit Lets You Become an Admin

Figure 4. Global Prevalence of zero-day exploitation activity in MVISION Insights

Figure 5. Exploitation IOCs and Detections in MVISION Insights

McAfee Enterprise offers Threat Intelligence Briefings along with Cloud Security and Data Protection workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats; please reach out if you would like to schedule a workshop with your organization.