Zero-Day Local Privilege Escalation Flaw Confirmed in Window 10 Systems

A zero-day flaw was disclosed on Monday regarding the Windows Task Scheduler in 64-bit Windows 10 and Windows Server 2016 systems for which there are no known patches or specific workarounds.

A vulnerability note to that effect was published on Tuesday by the U.S. Computer Emergency Readiness Team (CERT). Researcher Will Dormann, a vulnerability analyst with CERT/CC, confirmed that the exploit code works on those systems, adding that it may be possible to modify the code to run on other Windows versions. The exploit code allows an attacker with local user access privileges to gain system access privileges. The flaw specifically resides in the Advanced Local Procedure Call interface, he added.

Security researcher Kevin Beaumont provided an analysis of the exploit code, saying that it "misuses SchRpcSetSecurity to alter permissions." It uses the Print Spooler service to gain system access privileges using hard links. "Essentially if you can alter permissions and create hardlinks you can do a bunch of Bad Things(tm)," he wrote.

Organizations can use Sysmon to detect if the exploit is actively being used, Beaumont explained:

If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes  --  it's a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).

An attacker would need to have local access permissions beforehand to carry out such an attack, according to Beaumont.

The exploit had been posted on GitHub but was later removed. Beaumont reposted the code at this GitHub page. The author of the exploit had announced it via the SandBoxEscaper Twitter handle, expressing frustrations about life and submitting exploits to Microsoft.

The exploit apparently wasn't vetted beforehand by Microsoft as part of the usual responsible disclosure approach advocated by security researchers. There appears to be no response published at the Microsoft Security Response Center or other security venues. However, Microsoft did send a general statement saying that it looks into security issues and addresses them during its Update Tuesday releases, which was published in this ZDNet article. Microsoft also told The Register that it will "proactively update" devices as soon as possible.

Beaumont vaguely mentioned a few general mitigation strategies to adopt, such as not allowing untrusted users to run code on systems, but he noted that Microsoft will have to address the problem, which "will probably happen in a few weeks."

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.