New Windows Zero-Day Bug Allows a Local User to Obtain SYSTEM Privileges
CYBER NEWS

New Windows Zero-Day Bug Allows a Local User to Obtain SYSTEM Privileges

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

A new Windows zero-day vulnerability has been announced by CERT/CC. The organization just put out a warning of the flaw which is described as a privilege escalation one.




The vulnerability was initially announced on Twitter by SandboxEscaper who also said that it is a zero-day with a proof-of-concept published on GitHub.

New Zero-Day in Windows Officially Verified

Further down the line, the zero-day was verified by CERT/CC vulnerability analyst Phil Dormann who tweeted the following:

“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE [Local Privilege Escalation] right to SYSTEM!”

An official investigation has also taken place, conducted by CERT/CC. Here’s what’s in the official vulnerability note posted by CERT/CC:

Vulnerability Note VU#906424
Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface.

Apparently, Microsoft Windows task scheduler contains the local privilege escalation vulnerability in question, which is located in the Advanced Local Procedure Call (ALPC) interface. The zero-day bug can allow a local user to obtain SYSTEM privileges.

Related Story: July 2018 Patch Tuesday Fixes CVE-2018-8281, Microsoft Office Bugs

The information about the vulnerability is still insufficient, and it also hasn’t be assigned a CVE identifier. However, it is known that it opens a loophole and enables a well-known attack vector.

If a malicious actor succeeds in tricking a user to download and run an app, a piece of malware is activated through local privilege escalation. The attack chain ends with obtaining system privileges.

There is still no known solution to this issue, and most likely Microsoft will fix it through Patch Tuesday.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...