A zero-day flaw was recently revealed within Microsoft’s Windows task scheduler. Through errors in handling of the Advanced Local Procedure Call (ALPC) interface of the task scheduler an attacker could perform privilege escalation. The vulnerability in question is confirmed to affect the 64-bit operating systems Windows 10 and Server 2016.
ALPC zero-day revealed on Twitter
Zero-day vulnerabilities are nothing to scoff at, especially when released through a rather public platform. This happened to Microsoft, as a new zero-day release was revealed through Twitter. A user by the name of SandboxEscaper tweeted the following.
“Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit. — SandboxEscaper (@SandboxEscaper) 27 August 2018”
The tweet in question was deleted within a few hours of the original posting time and the account deactivated. However, it appears to have been recently reactivated.
The vulnerability allows for privilege-escalation through the Windows task scheduler, made possible due to errors during handling of the Advanced Local Procedure Call (ALPC) interface. The ALPC as a mechanism allows for Windows components to quickly and securely communicate between eachother.
Shortly after the release the vulnerability was confirmed by CERT/CC analyst Will Dormann through the following tweet.
“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM! https://twitter.com/SandboxEscaper/status/1034125195148255235 — Will Dormann (@wdormann)”
In the same chain Dormann also revealed slight modifications to the original vulnerability, making it possible to run under 32-bit Windows 10 as well. A full analysis of the vulnerability can be found on CERT’s page.
Can you protect yourself?
As SandboxEscaper did not privately reveal the vulnerability to Microsoft no patches have been released. Therefore, all Windows users are vulnerable until a patch is released. This is estimated to occur on September 11th which is the date of Microsoft’s next Patch Tuesday. Within the CERT vulnerability description an experimental patch for the vulnerability is available.
As an end-user your best bet is to wait for a patch. Stay vigilant and avoid clicking strange links or files.