A zero-day vulnerability in Windows 10 that abuses a flaw in Windows Task Scheduler has been posted to GitHub by a security researcher who did not first notify Microsoft of the issue.
The individual, who goes by the name SandboxEscaper, posted the vulnerabilities details along with a proof of concept showing the exploit being abused against 32-bit version of Windows 10. In his GitHub post SandboxEscaper did not say if Microsoft was notified prior to posting the findings, but in a statement to SC Media Microsoft seems to indicate this did not happen nor is a patch ready.
“Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible. We urge finders to practice coordinated vulnerability disclosure to reduce the potential risk to customers,” a Microsoft spokesperson told SC Media.
SC was unable to get in contact with SandboxEscaper.
The flaw itself is not be easy to take advantage of, but if done properly an attacker could gain escalated privileges.
“Although this is not the type of flaw which could readily be abused by malware or remote attackers, it is still quite important that Microsoft releases a fix for this quickly,” said Craig Young, computer security researcher for Tripwire’s VERT.
Young noted several hurdles an attacker would have to overcome to utilize this zero day. First the person would have to have knowledge of a valid username and password for the system. This means an attacker who has simply achieved code execution on a target, rather than compromising a password, would not be able to gain elevated permissions with this technique.
“The biggest risk that I see from this vulnerability is that of insider threat. For example, employees typically do not have administrative rights on their workstations as this might allow them to install unauthorized software or remove critical security controls. These users of course know their own password and so can trivially exploit this flaw. Bad practices like password reuse or falling for social engineering tactics like phishing could also allow an attacker to exploit this, but only if they have a way to get an interactive login on the system. (e.g. WinRMI, RDP, SSH, VNC, etc),” Young said.
This is the second privilege escalation vulnerability SandboxEscaper has found in Task Scheduler. In September 2018 SandboxEscaper posted one involving Task Scheduler’s Advanced Local Procedure Call interface and can allow a local user to obtain SYSTEM privileges, according to the Aug 27 Cert advisory.