Microsoft Windows MsiAdvertise Product function vulnerable to privilege escalation via race condition – 20th DEC 2018

Preface: MsiAdvertiseProduct function enables the installer to write to a script the registry and shortcut information used to assign or publish a product.

Vulnerability details:
Due to improper validation, the affected function can be abused to force installer service into making a copy of any file as SYSTEM privileges and read its content, resulting in arbitrary file read vulnerability.
A race condition occurs when two or more threads can access shared data and they try to change it at the same time. Because the thread scheduling algorithm can swap between threads at any time, you don’t know the order in which the threads will attempt to access the shared data. As a result it create a chance to attacker to access the shared data. Perhaps the access control list might lost control in such circumstances.

Remedy: Vendor did not release the patch yet since this is a new exploit (Zero-day).

Comment: Suggest to observe Event ID 11707 or 1033 in your SIEM.

Remark: Windows logs has several different events when you install or uninstall software. The Installation events are Event ID of 11707 or 1033.

Wishing you a Merry Christmas and a safe cyber prosperous new year!