Windows Installer 权限提升漏洞

该漏洞的潜在影响非常严重。攻击者可以利用此漏洞绕过安全机制，获取系统管理员权限。一旦获得管理员权限，攻击者可以安装恶意软件、窃取敏感数据、修改系统配置，甚至完全控制受影响的系统。攻击者可能通过恶意软件或利用其他漏洞来触发此权限提升，从而实现其目标。由于 Windows Installer 在 Windows 操作系统中扮演着关键角色，该漏洞的利用可能导致广泛的安全风险。

Systems administrators managing Windows environments are at significant risk. Users with administrative privileges, particularly those who frequently install software via the Windows Installer, are also vulnerable. Organizations relying on legacy Windows configurations or shared hosting environments with limited control over the underlying operating system should prioritize patching.

• Windows: Use Windows Defender to scan for suspicious processes leveraging the Windows Installer service.

Get-Process | Where-Object {$_.ProcessName -like '*msiexec*' -and $_.CPU -gt 10} | Stop-Process -Force

• Windows: Check Autoruns for unusual entries related to the Windows Installer.

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' | Select-Object -ExpandProperty Values

• Windows: Examine Windows Event Logs for errors or warnings related to the Windows Installer service. Filter for Event ID 1000 or higher with source 'Msisetup'. • Windows: Monitor scheduled tasks for any newly created or modified tasks that utilize the Windows Installer.

1. 2025-01-14Disclosure

   disclosure

1. 已保留2024-12-10
2. 发布日期2025-01-14
3. 修改日期2026-02-13
4. EPSS 更新日期2026-04-02

缓解此漏洞的首要措施是立即更新 Windows Installer 至版本 10.0.26100.2894 或更高版本。如果无法立即更新，可以考虑使用组策略限制 Windows Installer 的功能，例如禁用 MSI 安装程序或限制其访问权限。此外，实施严格的访问控制策略，并定期审查用户权限，可以降低攻击者利用此漏洞的风险。在更新后，请验证 Windows Installer 版本是否已成功更新，并检查系统日志中是否存在异常活动。