Windows Zero-Day Vulnerability Disclosed Via Twitter, Microsoft Scrambles For Fix
A former security
researcher decided to go out with a bang after apparently deciding to retire from the security game and blog about traveling instead. Known on Twitter as SandboxEscaper, the researcher revealed in a tweet a zero-day vulnerability
affecting Windows rather than submitting a bug report to Microsoft
The former security researchers also posted a link to a proof-of-concept on Github, in case anyone thought the vulnerability was not real. It is, and Microsoft is working on a fix.
Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.
— SandboxEscaper (@SandboxEscaper) August 27, 2018
"I'm a retired Vulnerability Researcher.
I make a living writing travel blogs now," the researcher's About Me page on SandboxEscaper.com states.
The incident essentially boils down to a big middle finger aimed squarely at Microsoft, with Windows users potentially getting caught in the crossfire—this is not the proper way to reveal a zero-day bug. It caught the attention of Will Dormann, an analyst at CERT/CC, who verified the vulnerability.
Dormann confirmed that the exploit works in a fully patched system running Windows 10 64-bit, and with "minor tweaks," it also affects the 32-bit version of Windows 10. The zero-day bug is related to the task scheduler.
"Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code," CERT/CC stated in an advisory
In short, the vulnerability leaves Windows 10
users susceptible to malware and hacks (by logged in users) that would give an attacker full control of a system. However, ALPC (Advanced Local Procedure Call) means this is a local bug, so it's somewhat contained. The exception is if an attacker can trick a user into downloading and installing malware.
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible," Microsoft said in a statement. "Our standard policy is to provide solutions via our current Update Tuesday schedule."
In other words, Microsoft is aware of the issue, but doesn't deem the security threat high enough to warrant an out-of-band security patch. It will be addressed with the next Patch Tuesday update.