14 DAY TRIAL // The Windows 10 Task Scheduler vulnerability that was disclosed on Twitter earlier this week won’t be getting a patch from Microsoft until the next Patch Tuesday on September 11, but in the meantime, the engineers over at 0patch got you covered.
A third-party fix for the zero-day bug is now available for Windows 10 April 2018 Update (version 1803) 64-bit, and it can be freely downloaded by any user. 0patch customers who are running the 0patch Agent only need to the click the sync now button to get the micropatch automatically.
“Okay people, 24 hours after the 0day was published we have a micropatch candidate for @SandboxEscaper's LPE in Task Scheduler. As you can see, scheduler's access to user-controlled hardlink is impersonating the user and gets ACCESS DENIED,” the official 0patch Twitter account posted.
No change required on Patch Tuesday
Since this is a third-party Windows security update, many are wondering if any conflict could be generated when Microsoft publishes its own patch next month.
But according to 0patch, that won’t be the case, and users will be able to install updates just like they do every month without any tweak required for this emergency fix.
“Many are asking what will happen when Microsoft releases their official update to fix this vulnerability and you have 0patch Agent with out micropatch installed. Simply, micropatch will stop getting applied because the DLL with the specific crypto hash will no longer be there,” the company explained.
While many are reluctant to installing third-party Windows security updates, this is the only way to resolve the recently-discovered Windows 10 zero-day bug at this point.
However, for unpatched systems the typical mitigation techniques could still keep them protected, such as avoiding the download of files coming from unknown sources. A successful exploit requires a user to first download a compromised app on the system, so blocking any malicious files could be effective until a patch ships.