Microsoft released an important update to the Windows 10 Operating System (OS) a day ago. However, even this update does not have a patch to protect against an interesting, simple and yet highly potent security flaw. The vulnerability exists in Windows 10’s advanced Task Scheduler. When exploited, Task Scheduler can essentially grant complete administrative privileges to the exploiter.
A hacker who goes by the online alias “SandboxEscaper”, posted the bug. Apparently, the exploit has serious security implications in Windows 10. Interestingly, the hacker chose to post the zero-day exploit on GitHub, a repository of software tools and development code that Microsoft acquired recently. The hacker even released Proof-of-Concept (PoC) exploit code for the zero-day vulnerability affecting the Windows 10 operating system.
The exploit falls under the zero-day category primarily because Microsoft has yet to acknowledge the same. Once the Windows 10 maker takes cognizance, it should offer a patch that will plug the loophole which exists within the Task Scheduler.
Task Scheduler is one of the core components of Windows OS that has existed from the days of Windows 95. Microsoft has continually improved upon the utility which essentially allows OS users to schedule the launch of programs or scripts at a predefined time or after specified time intervals. The exploit posted on GitHub utilizes ‘SchRpcRegisterTask’, a method in Task Scheduler to register tasks with the server.
For reasons yet unknown, the program does not check for permissions as thoroughly as it should. Hence, it can be used to set an arbitrary DACL (Discretionary Access Control List) permission. A program written with malicious intent or even an attacker with lower-level privileges can run a malformed .job file to obtain ‘SYSTEM’ privileges. Essentially, this is a case of unsanctioned or unauthorized privilege escalation issue that can potentially allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines. Eventually, such attacks will grant the attacker full administrative privileges of the targeted Windows 10 machine.
A Twitter user claims to have verified the zero-day exploit and confirmed it works on Windows 10 x86 system that has been patched with the latest May 2019 update. Moreover, the user adds the vulnerability can be exploited 100 percent of the time with ease.
I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system. A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user.
Works quickly, and 100% of the time in my testing. pic.twitter.com/5C73UzRqQk
— Will Dormann (@wdormann) May 21, 2019
If that’s not concerning enough, the hacker has also hinted he has 4 more undisclosed zero-day bugs in Windows, three of which leads to local privilege escalation and the fourth one lets attackers bypass sandbox security. Needless to add, Microsoft has yet to acknowledge the exploit and issue a patch. This essentially means Windows 10 users need to wait for a security fix for this particular vulnerability.