Earlier this week, a user on Twitter who goes by the username SandboxEscaper posted on the social media platform’s feed with information regarding a zero-day local privilege escalation vulnerability plaguing Microsoft’s Windows operating system. The user, SandboxEscaper, also included a proof of concept along with his post which was linked through to via a GitHub website reference containing the proof of concept in detail.
According to the information that the user posted, the local privilege escalation vulnerability exists in the Advanced Local Procedure Call (ALPC) interface that Microsoft Windows’ Task Scheduler uses. Exploiting this vulnerability can grant a malicious attacker the right to obtain local user privileges of the system on the device exploited.
Continuing the user’s tweet, it seems that there is no vendor released work around for this vulnerability as of yet. It also seems that despite the vulnerability’s discussion on Twitter by SandboxEscaper and its validation by other security researchers such as Kevin Beaumont, the vulnerability has not been officially resolved by the vendor and it has not even received a CVE identification label as of yet for further investigation and public information release. Despite the fact that it hasn’t been processed in the CVE domain, the vulnerability has been ranked on the CVSS 3.0 scale to be of medium risk demanding quick attention.
There’s an end user -> SYSTEM privilege escalation bug in Windows via Task Scheduler, it works. Also somebody hire @SandboxEscaper. https://t.co/TArOrY0YGV
— Kevin Beaumont (@GossiTheDog) August 27, 2018
Although Microsoft has not released any fix, official update, or advisory concerning the issue as of yet, a spokesperson from Microsoft has confirmed that the company is aware of the vulnerability, adding that Microsoft will “proactively update impacted advices as soon as possible.” Given Microsoft’s track record in providing quick and smart fixes for risky vulnerabilities, we can expect an update very soon.
0patch, however, has released a micropatch for the vulnerability in the meanwhile that affected users can implement if need be. The micropatch works on fully updated 64bit Windows 10 version 1803 and 64bit Windows Server 2016. To attain this micropatch, you must download and run the 0patch Agent installer, sign up for the sevice with an account and then download available micropatch updates according to the needs of your system. The download page contains this latest Task Scheduler vulnerability micropatch as well. 0patch warns that the micropatch is a temporary fix and the official release from Microsoft should be sought as a permanent solution to the vulnerability.
Surprisingly, SandboxEscaper disappeared off of Twitter entirely with his account disappearing from the mainstream feeds soon after the information regarding the zero-day Windows exploit was posted. It seems that the user is now back on Twitter (or is fluctuating off and on the social media site), but no new information has been shared on the issue.