Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability In Windows?
December 8, 2021

How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability In Windows?

How To Fix Installerfiletakeover 0day Lpe Vulnerability In Windows

Researcher Abdelhamid Naceri has disclosed another vulnerability that allows a local non-admin user to overwrite an existing file to which he does not have access to write. The vulnerability is not assigned a CVE at the time of writing this post. It is just identified as an “InstallerFileTakeOver” vulnerability. Unfortunately, Microsoft hasn’t released security updates to fix the “InstallerFileTakeOver” 0day Vulnerability in Windows. However, a micropatch released by Opatch could protect you from this vulnerability. Let’s see how to fix “InstallerFileTakeOver” 0day LPE (Local Privilege Elevation) vulnerability using Opatch.

Summary Of “InstallerFileTakeOver” 0day LPE Vulnerability:

The vulnerability lice in the process of RBF file creation, a file that stores the content of all deleted or modified files during the installation process. Windows Installer program creates RFB (Rollback File) file in C:\Windows\Installer\Config.msi * folder to restore all the original files later in time when a rollback is initiated. 

Later, when the Windows installer program moves the RBF file created in C:\Windows\Installer\Config.msi * folder to a known location in the user’s Temp folder, it modifies the permission to give the user write access to the files. The vulnerability allows the attacker to create a symbolic link to the RBF files and move them from C:\Windows\Installer\Config.msi folder to the user’s chosen location on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user. This may lead to a local privilege escalation vulnerability. Please read the full technical details here.

Prior to releasing PoC for this vulnerability, Researcher Abdelhamid Naceri has disclosed a couple of local privilege elevation vulnerabilities: CVE-2021-34484 & CVE-2021-41379, and information discloser CVE-2021-24084 vulnerability in a month of time.

Windows Affected To “InstallerFileTakeOver” 0day LPE Vulnerability:

Research says that this vulnerability affects all versions of the fully patched Windows operating system, including Windows 11 and Windows Server 2022.

Micropatch Released For The Windows Operating System:

This micropatch was released for these Windows Operating Systems: 

  1. Windows 10 v21H1 (32 & 64 bit)

  2. Windows 10 v20H2 (32 & 64 bit)

  3. Windows 10 v2004 (32 & 64 bit)

  4. Windows 10 v1909 (32 & 64 bit)

  5. Windows 10 v1903 (32 & 64 bit)

  6. Windows 10 v1809 (32 & 64 bit)

  7. Windows 10 v1803 (32 & 64 bit)

  8. Windows 10 v1709 (32 & 64 bit)

  9. Windows 7 ESU (32 & 64 bit)

  10. Windows Server 2019

  11. Windows Server 2016

  12. Windows Server 2012 R2

  13. Windows Server 2012

  14. Windows Server 2008 R2 ESU (32 & 64 bit)

How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability?

Although Microsoft hasn’t released a security update to fix the Local Privilege Escalation LPE vulnerability, a micropatch is available that could protect the 0day vulnerabilityOpatch said that its micropatch targets the RBF file move operation. Before move operation is initiated, Opatch micropatch checks the symbolic links, soft-links, shortcut icons, or any junctions created for the destination folder. If found, it treats such move operation as an exploitation attempt and blocks the operation. 

Created by Opatch

Opatch said that it has made the micropatch free until the official patch is available. We recommend making use of this micropatch. To use the micropatch, create a free account in 0patch Central. Download the Opatch agent from and install and enable it on your Windows system. Opatch agent will take care of everything else. This doesn’t need a reboot to complete this process.

Step 1. Create a free account in Opatch

Visit Optch and login if you have an account created or register using an email ID.

Note: It’s a free registration.

Step 2. Download free Opatch agent

Download the Opatch agent from here:

Step 3. Execute the Opatch agent

You do not need to do anything big to install the patch. Launch the agent, the patch will be installed by itself.

Step 4. Accept License agreement
Step 5. Select installation folder

Choose the installation path. If not keep the default.

Step 6. Confirm installation
Step 7. Finish Opatch agent installation
Step 8. Sign into Opatch agent
Step 9. Opatch dashboard

You will start seeing the number of available updates on the dashboard upon signing in to the agent.

Step 10. Fix “InstallerFileTakeOver” 0day LPE Vulnerability

Click on the ‘PATCH WAS APPLIED’ tiles to see the patch was applied for “InstallerFileTakeOver” 0day LPE Vulnerability.

We hope this post would help you in knowing how to fix “InstallerFileTakeOver” 0day vulnerability in Windows. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription