Windows Zero-Day Vulnerability Comes With PoC on GitHub

A new zero-day vulnerability was recently made public following a Tweet from @SandboxEscaper, who claimed to be frustrated with Microsoft and, apparently, their bug submission process.

The tweet included a link to the proof-of-concept for the alleged zero-day vulnerability on GitHub, prompting security researchers to download and test @SandboxEscaper”s claims.

Following an assessment by CERT/CC vulnerability analyst Phil Dormann, the bug was verified and confirmed to be working on a fully-patched 64-bit Windows 10 machine, enabling attackers to gain admin privileges if exploited.

It”s unclear if the zero-day would work on all Microsoft supported Windows versions, including 32-bit ones, but it”s definitely cause for concern, since the PoC is publicly available and can easily be weaponized by threat actors.

I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM! https://t.co/My1IevbWbz

— Will Dormann (@wdormann) August 27, 2018

While the zero-day does require some specific conditions for execution – an attacker needs the victim to download and execute a tainted application for the vulnerability to be exploited, an attack vector that is not uncommon, especially with APTs (Advanced Persistent Threats) and spearphishing.

“Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges,” reads the CERT/CC advisory. “The CERT/CC is currently unaware of a practical solution to this problem.”

While it”s uncertain whether Microsoft had been previously notified by @SandboxEscaper regarding the zero-day, the tweet does suggest that an interaction with Microsoft caused some friction.

Following the incident, a Microsoft spokesperson claims the company will “proactively update impacted devices as soon as possible,” potentially during a Patch Tuesday release.