Zero-Day Local Privilege Escalation Flaw Confirmed in Window 10 Systems

A zero-day flaw was disclosed on Monday regarding the Windows Task Scheduler in 64-bit Windows 10 and Windows Server 2016 systems for which there are no known patches or specific workarounds.

A vulnerability note to that effect was published on Tuesday by the U.S. Computer Emergency Readiness Team (CERT). Researcher Will Dormann, a vulnerability analyst with CERT/CC, confirmed that the exploit code works on those systems, adding that it may be possible to modify the code to run on other Windows versions. The exploit code allows an attacker with local user access privileges to gain system access privileges. The flaw specifically resides in the Advanced Local Procedure Call interface, he added.

Security researcher Kevin Beaumont provided an analysis of the exploit code, saying that it "misuses SchRpcSetSecurity to alter permissions." It uses the Print Spooler service to gain system access privileges using hard links. "Essentially if you can alter permissions and create hardlinks you can do a bunch of Bad Things(tm)," he wrote.

Organizations can use Sysmon to detect if the exploit is actively being used, Beaumont explained:

If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes  --  it's a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for connhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).

An attacker would need to have local access permissions beforehand to carry out such an attack, according to Beaumont.

The exploit had been posted on GitHub but was later removed. Beaumont reposted the code at this GitHub page. The author of the exploit had announced it via the SandBoxEscaper Twitter handle, expressing frustrations about life and submitting exploits to Microsoft.

The exploit apparently wasn't vetted beforehand by Microsoft as part of the usual responsible disclosure approach advocated by security researchers. There appears to be no response published at the Microsoft Security Response Center or other security venues. However, Microsoft did send a general statement saying that it looks into security issues and addresses them during its Update Tuesday releases, which was published in this ZDNet article. Microsoft also told The Register that it will "proactively update" devices as soon as possible.

Beaumont vaguely mentioned a few general mitigation strategies to adopt, such as not allowing untrusted users to run code on systems, but he noted that Microsoft will have to address the problem, which "will probably happen in a few weeks."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

comments powered by Disqus