14 DAY TRIAL // Microsoft has just been caught off guard, as a security researcher published on Twitter a zero-day flaw in Windows that allows an attacker to gain system privileges on an affected computer.
Disclosed in a tweet by @SandboxEscaper (the original post and the account have both been removed), the vulnerability exists in the task scheduler, and a successful attack requires the user to download a malicious app on a target machine.
CERT researcher Phil Dormann confirmed the bug on the social network and explained that it works “on a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM!.”
An advisory published by CERT provides more details regarding the vulnerability, but emphasizes that a patch is not yet available for Windows 10 systems.
“Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges,” the advisory reads. “Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. A local user may be able to gain elevated (SYSTEM) privileges.”
Patch possibly landing next month
Microsoft said in a statement for The Register that a fix for the vulnerability may land on the next Patch Tuesday, which in September takes place on the 11th.
By the looks of things, all Windows 10 versions are affected, regardless of the level of patching, as fully up-to-date systems are said to be vulnerable as well. Older Windows releases, like Windows 7 and Windows 8.1, aren’t impacted by the issue.
In the meantime, users are recommended to avoid downloading and running apps and files coming from untrusted sources, as a successful exploit requires the local privilege escalation to be powered by an application already running on the target system.