search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows MsiAdvertiseProduct function vulnerable to privilege escalation via race condition

Vulnerability Note VU#228297

Original Release Date: 2018-12-20 | Last Revised: 2018-12-20


The Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files.


The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to generate a script to advertise a product to Windows, which handles shortcut and registry information associated with an installed application. The MsiAdvertiseProduct contains a race condition while performing checks, which can allow an attacker to read an arbitrary file which would otherwise be protected with filesystem ACLs.

Exploit code for this vulnerability is publicly available.


By calling the MsiAdvertiseProduct function in a crafted way, an authenticated attacker may be able to read files that would otherwise be restricted through filesystem ACLs.


The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information


Microsoft Affected

Updated:  December 20, 2018



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 4.6 AV:L/AC:L/Au:S/C:C/I:N/A:N
Temporal 4.4 E:F/RL:U/RC:C
Environmental 4.3 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND



This vulnerability was publicly disclosed by SandboxEscaper.

This document was written by Will Dormann.

Other Information

CVE IDs: None
Date Public: 2018-12-19
Date First Published: 2018-12-20
Date Last Updated: 2018-12-20 21:11 UTC
Document Revision: 11

Sponsored by CISA.