Patch/Configuration Management, Vulnerability Management

Windows 10 zero-day vulnerability released, Microsoft in the dark

A zero-day vulnerability in Windows 10 that abuses a flaw in Windows Task Scheduler has been posted to GitHub by a security researcher who did not first notify Microsoft of the issue.

The individual, who goes by the name SandboxEscaper, posted the vulnerabilities details along with a proof of concept showing the exploit being abused against 32-bit version of Windows 10. In his GitHub post SandboxEscaper did not say if Microsoft was notified prior to posting the findings, but in a statement to SC Media Microsoft seems to indicate this did not happen nor is a patch ready.

“Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible. We urge finders to practice coordinated vulnerability disclosure to reduce the potential risk to customers,” a Microsoft spokesperson told SC Media.

SC was unable to get in contact with SandboxEscaper.

The flaw itself is not be easy to take advantage of, but if done properly an attacker could gain escalated privileges.

“Although this is not the type of flaw which could readily be abused by malware or remote attackers, it is still quite important that Microsoft releases a fix for this quickly,” said Craig Young, computer security researcher for Tripwire’s VERT.

Young noted several hurdles an attacker would have to overcome to utilize this zero day. First the person would have to have knowledge of a valid username and password for the system. This means an attacker who has simply achieved code execution on a target, rather than compromising a password, would not be able to gain elevated permissions with this technique.

“The biggest risk that I see from this vulnerability is that of insider threat. For example, employees typically do not have administrative rights on their workstations as this might allow them to install unauthorized software or remove critical security controls. These users of course know their own password and so can trivially exploit this flaw. Bad practices like password reuse or falling for social engineering tactics like phishing could also allow an attacker to exploit this, but only if they have a way to get an interactive login on the system. (e.g. WinRMI, RDP, SSH, VNC, etc),” Young said.

This is the second privilege escalation vulnerability SandboxEscaper has found in Task Scheduler. In September 2018 SandboxEscaper posted one involving Task Scheduler's Advanced Local Procedure Call interface and can allow a local user to obtain SYSTEM privileges, according to the Aug 27 Cert advisory.

Related

Attacks with BlueKeep, Microsoft Office exploits launched by Kimsuky-linked group

Threat operation Larva-24005, which is associated with North Korean state-backed advanced persistent threat group Kimsuky, has been leveraging the critical Microsoft Remote Desktop Services flaw BlueKeep, also tracked as CVE-2019-0708, and the high-severity Microsoft Office Equation Editor vulnerability, tracked as CVE-2017-11882, to infiltrate organizations in Japan and South Korea, with the latter's financial, energy, and software sectors targeted since October 2023, The Hacker News reports.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BugBuffer OverflowDisassembly

You can skip this ad in 5 seconds