Security Patching Simplified To The Extreme
February 2023 Windows Updates brought a fix for CVE-2023-21800 , a vulnerability in Windows Installer that allows a local low-privileged attacker to run their code as Local System. The vulnerability was reported to Microsoft by Adrian Denkiewicz with Doyensec . Adrian subsequently wrote an article detailing the vulnerability , which allowed us to reproduce it and create a patch for our users.
The vulnerability is in one sense a typical symbolic link issue, the types of which we've been seeing in abundance in the past years, but it is also interesting because it includes a privileged process ( msiexec.exe running as Local System) inheriting environment variables from the attacker's parent process. This is something we haven't seen before and it could generally be exploited in different interesting ways.