Despite Microsoft’s efforts helping to quell Spectre and Meltdown CPU issues, it looks as though the company will have to turn its attention to Windows as a zero-day vulnerability has come to light. Pending some specific conditions, this new attack could grant perpetrators system privileges.
Twitter user SandboxEscaper made the bug publicly known with proof of concept contained within a file uploaded to GitHub. Although it is uncertain whether or not SandboxEscaper had been in contact with Microsoft prior making it a zero-day issue, the language of the tweet itself shows frustration directed at the company and its bug submission process.
The attack requires the target to first download a specific attack vector that could be hidden within a number of other files, much like the majority of other malware. Once the app has been activated, local privilege escalation gives the malware, and therefore the attacked, access to system privileges. This has been confirmed to work by a number of security experts, such as UK firm DoublePulsar’s Kevin Beaumont and CERT/CC vulnerability analyst Phil Dormann.
“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM,” Dormann explains on Twitter, following up with a conclusion to his investigation in a vulnerability note. “Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. The CERT/CC is currently unaware of a practical solution to this problem.”
In response to prompts from The Register, a Microsoft spokesperson confirmed that the company recognises the issue and will “proactively update impacted advices as soon as possible.” The firm pointed towards its Patch Tuesday schedule, however it wasn’t made clear whether we would see some form of a fix distributed today, next week or beyond given the sudden reveal.
KitGuru Says: SandboxEscaper is sure to have sped Microsoft’s plans for a fix up, calling into question just how effective its bug bounty schemes are beyond relatively good PR. Hopefully the firm streamlines its process in the future so that issues aren’t released as a zero-day bug.