A new zero-day vulnerability was recently made public following a Tweet from @SandboxEscaper, who claimed to be frustrated with Microsoft and, apparently, their bug submission process.
The tweet included a link to the proof-of-concept for the alleged zero-day vulnerability on GitHub, prompting security researchers to download and test @SandboxEscaper’s claims.
Following an assessment by CERT/CC vulnerability analyst Phil Dormann, the bug was verified and confirmed to be working on a fully-patched 64-bit Windows 10 machine, enabling attackers to gain admin privileges if exploited.
It’s unclear if the zero-day would work on all Microsoft supported Windows versions, including 32-bit ones, but it’s definitely cause for concern, since the PoC is publicly available and can easily be weaponized by threat actors.
I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM! https://t.co/My1IevbWbz
— Will Dormann (@wdormann) August 27, 2018
While the zero-day does require some specific conditions for execution – an attacker needs the victim to download and execute a tainted application for the vulnerability to be exploited, an attack vector that is not uncommon, especially with APTs (Advanced Persistent Threats) and spearphishing.
“Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges,” reads the CERT/CC advisory. “The CERT/CC is currently unaware of a practical solution to this problem.”
While it’s uncertain whether Microsoft had been previously notified by @SandboxEscaper regarding the zero-day, the tweet does suggest that an interaction with Microsoft caused some friction.
Following the incident, a Microsoft spokesperson claims the company will “proactively update impacted devices as soon as possible,” potentially during a Patch Tuesday release.