A mishandled disclosure process saw proof-of-concept code for a Windows 10 zero-day flaw released on Twitter, but...
Microsoft has no patch available.
A self-described retired vulnerability researcher who goes by the handle SandboxEscaper announced the Windows 10 zero-day on Twitter on Aug. 27, complete with proof-of-concept (POC) code hosted on GitHub, but didn't notify Microsoft beforehand. The flaw is part of the Windows Task Scheduler, and it can allow an attacker to obtain system privileges.
According to the CERT Coordination Center (CERT/CC) advisory, the "Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface."
"We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems," Will Dormann, vulnerability analyst for CERT/CC, wrote in the advisory. "Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code."
Dormann also confirmed on Twitter that although the POC released by SandboxEscaper was designed to be a Windows 10 zero-day and affect 64-bit systems, the exploit would also work on 32-bit systems with "minor tweaks."
Craig Young, computer security researcher at Tripwire, based in Portland, Ore., noted that the Windows 10 zero-day would allow "the caller to manipulate file permissions of protected system files."
"This can be used to overwrite system libraries with malicious code to hijack Windows. With this published exploit code, it is trivial for malware to take complete control of the system after the malware has been loaded," Young wrote via email. "Without a privilege escalation bug like this, the malware would be dependent on users clicking through access control alerts or entering administrator credentials."
Risk vs. exploit code
Experts generally agreed the level of risk for this Task Scheduler Windows 10 zero-day wouldn't normally be too severe, because the exploit requires local access. This means an attacker would have to trick a user into downloading and running a malicious program, or they would need to have previously gained access to a system. However, experts said the release of the POC code changes the risk profile for the Windows 10 zero-day.
Allan Liska, solutions architect at Recorded Future, based in Somerville, Mass., added that this Windows 10 zero-day is another flaw in a long history of issues in the Windows Task Scheduler service.
"At this time, there is no patch for the vulnerability. One possible mitigation is to prevent untrusted -- usually guest -- users from running code. However, if an attacker gains access with user-level privilege, this mitigation will not work," Liska said in an email. "The best bet until Microsoft releases a patch is to monitor for suspicious activity from Task Scheduler, and for this specific POC, monitor for the print spooler service spawning unusual processes," he continued.
"Though bear in mind that while the POC uses the print spooler service, this vulnerability is not limited to just the print spooler. With some minor tweaking, the POC code could be used to execute other services."
Although there were no specific details, SandboxEscaper expressed frustration with Microsoft and infosec in general before releasing the Windows 10 zero-day on Twitter, but appeared regretful two days later.
I screwed up, not MSFT (they are actually a cool company). Depression sucks. Also, this bug and the use of hardlinks are ofcourse inspired by Forshaw. Anyway, I'm done with security. This is all just so dumb and stupid.— SandboxEscaper (@SandboxEscaper) August 29, 2018
SandboxEscaper had mentioned a battle with depression and a desire to quit vulnerability research in a number of tweets leading up to releasing the POC code, and the vast majority of commenters offered messages of empathy or aid.
Microsoft did not respond to requests for comment at the time of this post.