The issue was tested on Windows 10 version 1709

Feb 21, 2018 09:09 GMT  ·  By
The flaw exists in Windows 10 version 1709, but could affect other versions too
   The flaw exists in Windows 10 version 1709, but could affect other versions too

After revealing an Edge browser vulnerability that Microsoft failed to fix, Google is now back with another disclosure, this time aimed at Windows 10 Fall Creators Update (version 1709), but potentially affecting other Windows versions as well.

James Forshaw, a security researcher that’s part of Google’s Project Zero program, says the elevation of privilege vulnerability can be exploited because of the way the operating system handles calls to Advanced Local Procedure Call (ALPC).

This means a standard user could obtain administrator privileges on a Windows 10 computer, which in the case of an attack, could eventually lead to full control over the impacted system.

But as Neowin noted, this is the second bug discovered in the same function, and both of them, labeled as 1427 and 1428, were reported to Microsoft on November 10, 2017. Microsoft said it fixed them with the release of the February 2018 Patch Tuesday updates, yet as it turns out, only issue 1427 was addressed.

Can’t be exploited remotely

Though the vulnerability remains unpatched, it’s important to note that Microsoft doesn’t consider it to be a Critical bug, having rated it instead as Important. According to the researcher, this is because exploiting the vulnerability involves additional steps and cannot take place remotely, unless the attacker previously obtained access to the target systems by taking advantage of another flaw.

“In order to execute the exploit you'd have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it's easy to exploit, but it doesn't take into account the prerequisites to exploiting the issue in the first place,” Forshaw says.

The next Windows security updates will ship on March 13 as part of the upcoming Patch Tuesday cycle, but with the vulnerability already public, Microsoft might hurry up and publish an out-of-band fix for impacted Windows versions sooner.