Unpatched Flaw In Microsoft Windows Task Manager Disclosed On Twitter
An angry Twitter user โSandboxEscaperโ exposed a local privilege escalation vulnerability in Microsoft Windows task manager that could allow an attackerย get administrative access to a Windows system. The now deleted tweet included aย linkย to the proof-of-concept (PoC) for the alleged zero-day vulnerability that was posted on GitHub. However, the exploit code has now been removed from GitHub.
The researcher, who claims to be tired ofย IT security work, seems frustrated with Microsoft’s bug bounty program:
Ps: Microsoft is stupid and I can’t wait to sell bugs in their software.
โ SandboxEscaper (@SandboxEscaper)ย August 27, 2018
The vulnerability found resides in the task manager’s Advanced Local Procedure Call (ALPC) interface, which allows an attacker with local user access privileges to gain access to elevated (SYSTEM) privileges.
Researcherย Will Dormann, a vulnerability analyst with the U.S. Computer Emergency Readiness Team (US-CERT) confirmed that the exploit code works in a fully patched 64-bit Windows 10 and Windows Server 2016 systems. He also said that the exploit code can be modified to run on other Windows versions.
Currently, there areย no known patches or specific workarounds to address the vulnerability confirmed CERT.
Kevin Beaumont, a UK-based security architect, too confirmed the exploit code and also published the vulnerability codeย on GitHubย for easy analysis.
On how can the vulnerability code be detected, Beaumont advised, โIf you use Microsoft Sysmon, look forย spoolsv.exeย spawning abnormal processes โ itโs a sure sign this exploit is being used (or another Spooler exploit). Similarly, if you use Sysmon, look forย connhost.exeย (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).โ
The actual fix needs to come from Microsoft. Aย Microsoft representative who acknowledged the flaw reportedly told The Register that the company will “proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”
The next scheduled Microsoft Patch Tuesday is likely to take place on September 11. In other words, this would allow ample time for the attackers to exploit the vulnerability code that is in the wild.
โWith the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network usersโ behaviors,โ said Justin Jett, director of audit and compliance for Plixer. โThe PoC released by โresearcherโ SandboxEscaper on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information.โ
โNetwork traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically donโt,โย Jett added. โSuch behavior could be a strong indicator that the vulnerability, which allows hackers to escalate their privileges on a system, may be in use.
Weโll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability.โ
Also Read–ย How to fix Windows 10 taskbar not working?