Microsoft Windows zero-day vulnerability exposed through Twitter

Unpatched Flaw In Microsoft Windows Task Manager Disclosed On Twitter

An angry Twitter user โ€˜SandboxEscaperโ€™ exposed a local privilege escalation vulnerability in Microsoft Windows task manager that could allow an attackerย get administrative access to a Windows system. The now deleted tweet included aย linkย to the proof-of-concept (PoC) for the alleged zero-day vulnerability that was posted on GitHub. However, the exploit code has now been removed from GitHub.

The researcher, who claims to be tired ofย IT security work, seems frustrated with Microsoft’s bug bounty program:

Ps: Microsoft is stupid and I can’t wait to sell bugs in their software.

โ€” SandboxEscaper (@SandboxEscaper)ย August 27, 2018

The vulnerability found resides in the task manager’s Advanced Local Procedure Call (ALPC) interface, which allows an attacker with local user access privileges to gain access to elevated (SYSTEM) privileges.

Researcherย Will Dormann, a vulnerability analyst with the U.S. Computer Emergency Readiness Team (US-CERT) confirmed that the exploit code works in a fully patched 64-bit Windows 10 and Windows Server 2016 systems. He also said that the exploit code can be modified to run on other Windows versions.

Currently, there areย no known patches or specific workarounds to address the vulnerability confirmed CERT.

Kevin Beaumont, a UK-based security architect, too confirmed the exploit code and also published the vulnerability codeย on GitHubย for easy analysis.

On how can the vulnerability code be detected, Beaumont advised, โ€œIf you use Microsoft Sysmon, look forย spoolsv.exeย spawning abnormal processes โ€” itโ€™s a sure sign this exploit is being used (or another Spooler exploit). Similarly, if you use Sysmon, look forย connhost.exeย (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).โ€

The actual fix needs to come from Microsoft. Aย Microsoft representative who acknowledged the flaw reportedly told The Register that the company will “proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”

The next scheduled Microsoft Patch Tuesday is likely to take place on September 11. In other words, this would allow ample time for the attackers to exploit the vulnerability code that is in the wild.

โ€œWith the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network usersโ€™ behaviors,โ€ said Justin Jett, director of audit and compliance for Plixer. โ€œThe PoC released by โ€˜researcherโ€™ SandboxEscaper on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information.โ€

โ€œNetwork traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically donโ€™t,โ€ย Jett added. โ€œSuch behavior could be a strong indicator that the vulnerability, which allows hackers to escalate their privileges on a system, may be in use.

Weโ€™ll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability.โ€

Also Read–ย How to fix Windows 10 taskbar not working?

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Read More

Suggested Post