What just happened? A zero-day vulnerability has been discovered in Windows and disclosed on Twitter by a security researcher. A user called SandboxEscaper revealed the bug, which has since been verified by US-CERT.
SandboxEscaper included a link to a proof-of-concept for the vulnerability on their GitHub. CERT/CC engineer Will Dormann has verified the issue and said it works “well in a fully-patched 64-bit Windows 10 system.”
According to Dormann, the vulnerability is a local privilege escalation flaw in the Microsoft Windows task scheduler that’s caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems. It’s unclear whether the bug affects all versions of Windows, such as Windows 7.
“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. The CERT/CC is currently unaware of a practical solution to this problem,” reads the CERT note.
ALPC, which enables high-speed inter-process communications, is a local system, so the impact is limited. But an attacker could trick a victim into downloading a malicious app, usually through a phishing scam, and use it to exploit the vulnerability. The bug has been given a CVSS score of 6.4 to 6.8.
It appears that Microsoft is waiting until its next scheduled Patch Tuesday—September 11—to issue a fix. A spokesperson told ZDNet: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”