Unpatched Flaw In Microsoft Windows Task Manager Disclosed On Twitter
An angry Twitter user ‘SandboxEscaper’ exposed a local privilege escalation vulnerability in Microsoft Windows task manager that could allow an attacker get administrative access to a Windows system. The now deleted tweet included a link to the proof-of-concept (PoC) for the alleged zero-day vulnerability that was posted on GitHub. However, the exploit code has now been removed from GitHub.
The researcher, who claims to be tired of IT security work, seems frustrated with Microsoft’s bug bounty program:
Ps: Microsoft is stupid and I can’t wait to sell bugs in their software.
— SandboxEscaper (@SandboxEscaper) August 27, 2018
The vulnerability found resides in the task manager’s Advanced Local Procedure Call (ALPC) interface, which allows an attacker with local user access privileges to gain access to elevated (SYSTEM) privileges.
Researcher Will Dormann, a vulnerability analyst with the U.S. Computer Emergency Readiness Team (US-CERT) confirmed that the exploit code works in a fully patched 64-bit Windows 10 and Windows Server 2016 systems. He also said that the exploit code can be modified to run on other Windows versions.
Currently, there are no known patches or specific workarounds to address the vulnerability confirmed CERT.
Kevin Beaumont, a UK-based security architect, too confirmed the exploit code and also published the vulnerability code on GitHub for easy analysis.
On how can the vulnerability code be detected, Beaumont advised, “If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes — it’s a sure sign this exploit is being used (or another Spooler exploit). Similarly, if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).”
The actual fix needs to come from Microsoft. A Microsoft representative who acknowledged the flaw reportedly told The Register that the company will “proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”
The next scheduled Microsoft Patch Tuesday is likely to take place on September 11. In other words, this would allow ample time for the attackers to exploit the vulnerability code that is in the wild.
“With the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network users’ behaviors,” said Justin Jett, director of audit and compliance for Plixer. “The PoC released by ‘researcher’ SandboxEscaper on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information.”
“Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don’t,” Jett added. “Such behavior could be a strong indicator that the vulnerability, which allows hackers to escalate their privileges on a system, may be in use.
We’ll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability.”
Also Read– How to fix Windows 10 taskbar not working?