Home / Tech News / Featured Tech News / Microsoft acknowledges Windows zero-day vulnerability

Microsoft acknowledges Windows zero-day vulnerability

Damien Mason August 28, 2018 Featured Tech News, Operating Systems

Despite Microsoft’s efforts helping to quell Spectre and Meltdown CPU issues, it looks as though the company will have to turn its attention to Windows as a zero-day vulnerability has come to light. Pending some specific conditions, this new attack could grant perpetrators system privileges.

Twitter user SandboxEscaper made the bug publicly known with proof of concept contained within a file uploaded to GitHub. Although it is uncertain whether or not SandboxEscaper had been in contact with Microsoft prior making it a zero-day issue, the language of the tweet itself shows frustration directed at the company and its bug submission process.

The attack requires the target to first download a specific attack vector that could be hidden within a number of other files, much like the majority of other malware. Once the app has been activated, local privilege escalation gives the malware, and therefore the attacked, access to system privileges. This has been confirmed to work by a number of security experts, such as UK firm DoublePulsar’s Kevin Beaumont and CERT/CC vulnerability analyst Phil Dormann.

“I've confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM,” Dormann explains on Twitter, following up with a conclusion to his investigation in a vulnerability note. “Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. The CERT/CC is currently unaware of a practical solution to this problem.”

In response to prompts from The Register, a Microsoft spokesperson confirmed that the company recognises the issue and will “proactively update impacted advices as soon as possible.” The firm pointed towards its Patch Tuesday schedule, however it wasn’t made clear whether we would see some form of a fix distributed today, next week or beyond given the sudden reveal.

KitGuru Says: SandboxEscaper is sure to have sped Microsoft’s plans for a fix up, calling into question just how effective its bug bounty schemes are beyond relatively good PR. Hopefully the firm streamlines its process in the future so that issues aren’t released as a zero-day bug.

Become a Patron!

Tags

Check Also

Just Cause 5 was reportedly cancelled after years of development

Just Cause has been on ice since the release of Just Cause 4 on Xbox One, PS4 and PC. As it turns out, Just Cause 5 was in development for a number of years, but it had been cancelled before it could be announced publicly. 

© Copyright 2025, Kitguru.net All Rights Reserved Standard Terms

We've noticed that you are using an ad blocker.

Thank you for visiting KitGuru. Our news and reviews teams work hard to bring you the latest stories and finest, in-depth analysis.

We want to be as informative as possible – and to help our readers make the best buying decisions. The mechanism we use to run our business and pay some of the best journalists in the world, is advertising.

If you want to support KitGuru, then please add www.kitguru.net to your ad blocking whitelist or disable your adblocking software. It really makes a difference and allows us to continue creating the kind of content you really want to read.

It is important you know that we don’t run pop ups, pop unders, audio ads, code tracking ads or anything else that would interfere with the KitGuru experience. Adblockers can actually block some of our free content, such as galleries!