Microsoft has jumped to react to the disclosure of a previously unknown zero-day vulnerability in the Windows OS.
On Monday (27 August), Twitter user @SandboxEscaper revealed a Microsoft zero-day bug. As well as publicising the bug’s existence, the researcher also included a proof of concept for the vulnerability in a GitHub link.
The tweet is now deleted and there are rumours the same person attempted to sell the zero-day via Reddit under the same username.
A verified issue
Will Dormann, vulnerability analyst at CERT Coordination Center, quickly verified the bug on Tuesday (28 August) and said that the flaw works “well in a fully patched Windows 10 system”.
The vulnerability in question is a local privilege escalation vulnerability, which can allow a user to gain system privileges. It involves a problem with the advanced local procedure call (ALPC) interface of Windows Task Scheduler. The ALPC allows a client process running within the OS to ask a server process running within the same OS to perform an action or provide information. The vulnerability shows that it is possible to use the ALPC to gain system administrator access on a Windows system.
The proof of concept from @SandboxEscaper will be of interest to those who write malware, as it can allow benign malware to acquire admin access on targeted systems.
Microsoft told ZDNet: “Windows has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.” It is not clear as to when the patch will arrive, but Microsoft’s next scheduled Patch Tuesday is 11 September.
A breakdown of the flaw
Allan Liska, security solutions architect at Recorded Future, broke the vulnerability down to SiliconRepublic.com. “The 64-bit versions of Microsoft Windows 10 and Windows Server 2016 both suffer from a local privilege escalation vulnerability that will allow an attacker who already has access to the system to execute any code as an administrator – in effect, giving the attacker full access to the compromised system.”
Liska noted that although there is no patch for the vulnerability at this time, one possible mitigation is to prevent untrusted (usually guest) users from running code. There’s a caveat here, though, Liska said. “However, if an attacker gains access with user-level privilege (eg through a browser remote code execution exploit), this mitigation will not work.
“The best bet until Microsoft releases a patch is to monitor for suspicious activity from Task Scheduler (look for the connhost.exe process) and for this specific PoC monitor for spoolsv.exe (the Print Spooler service) spawning unusual processes, though bear in mind that while the PoC uses the Print Spooler service, this vulnerability is not limited to just the Print Spooler.”