0Patch has a patch for Windows "InstallerFileTakeOver" 0-day vulnerability, Microsoft

[harlan4096]

There is a 0-day vulnerability for Windows, called InstallerFileTakeOver, which Microsoft has yet to address. The vulnerability was discovered by Abdelhamid Naceri, a security researcher, who discovered two other 0-day vulnerabilities in Windows this year already.We mentioned the vulnerability in late November 2021 already here on this site. The issue was unpatched back then and Microsoft has yet to release a security update that addresses the vulnerability.

Micro-patching company 0Patch released a free patch for the issue this week that is available to all users. The micropatch that 0Patch released is available for the following operating systems:

• Windows 10 version 1709 to 21H1.
  
• Windows 7 ESU
  
• Windows Server 2012, 2012 R2, 2016, 2019.
  
• Windows Server 2008 R2 ESU
  

0Patch notes that non-ESU Windows 7 and Windows Server 2012 installations are not affected by the vulnerability. Windows Server 2022 and Windows 11 are likely also affected, but not officially supported by the company yet (hence no patch). Windows 8.1 was not analyzed because of low interest in the particular version of Windows.

The vulnerability takes advantage of rollback files that Windows Installer creates during installation. It stores files that are deleted or modified during the installation process, to allow rollbacks. The rollback file is created in system directories and then moved to a temp folder in the user's directory.

Naceri discovered that a symbolic link can be placed in the location, so that the RBF file is moved to another location. The symbolic link points to a file on the system that is then made accessible to the user, provided that Local System has write access to it.
...

Continue Reading