The exploit works in Windows 10, Windows 11, and Windows Server and was supposed to have been fixed in the November 2021 Patch Tuesday.

Vole’s 'Windows Installer Elevation of Privilege Vulnerability' vulnerability is tracked as CVE-2021-41379 and was spotted by security researcher Abdelhamid Naceri.

But Naceri found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix. He published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.

"This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one."

Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway. His 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges.

Naceri said he is hacked off with Vole over its decreasing payouts in their bug bounty programme so he is releasing the exploit. He recommends users wait for Microsoft to release a security patch, as attempting to patch the binary will likely break the installer. We guess that they will be rushing to do this a little quicker.

A Microsoft spokesperson said in a statement: "We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine."