Home > Cyber News > New Windows Zero-Day Bug Allows a Local User to Obtain SYSTEM Privileges

New Windows Zero-Day Bug Allows a Local User to Obtain SYSTEM Privileges

A new Windows zero-day vulnerability has been announced by CERT/CC. The organization just put out a warning of the flaw which is described as a privilege escalation one.

The vulnerability was initially announced on Twitter by SandboxEscaper who also said that it is a zero-day with a proof-of-concept published on GitHub.

New Zero-Day in Windows Officially Verified

Further down the line, the zero-day was verified by CERT/CC vulnerability analyst Phil Dormann who tweeted the following:

“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE [Local Privilege Escalation] right to SYSTEM!”

An official investigation has also taken place, conducted by CERT/CC. Here’s what’s in the official vulnerability note posted by CERT/CC:

Vulnerability Note VU#906424
Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface.

Apparently, Microsoft Windows task scheduler contains the local privilege escalation vulnerability in question, which is located in the Advanced Local Procedure Call (ALPC) interface. The zero-day bug can allow a local user to obtain SYSTEM privileges.

Related Story: July 2018 Patch Tuesday Fixes CVE-2018-8281, Microsoft Office Bugs

The information about the vulnerability is still insufficient, and it also hasn’t be assigned a CVE identifier. However, it is known that it opens a loophole and enables a well-known attack vector.

If a malicious actor succeeds in tricking a user to download and run an app, a piece of malware is activated through local privilege escalation. The attack chain ends with obtaining system privileges.

There is still no known solution to this issue, and most likely Microsoft will fix it through Patch Tuesday.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree