Patch likely to be available next month.
UPDATE (03/09) A micropatch has been released by 0patch for the latest version of Windows 10. Microsoft is due to release a full patch for the vulnerability on September 11.
A zero-day vulnerability in Windows task scheduler was disclosed over Twitter on Monday, resulting in a prompt yet inconclusive response from Microsoft.
The vulnerability, first discovered by security researcher SandboxEscaper, allows for privilege escalation in the task scheduler’s Advanced Local Procedure Call (ALPC) interface – an internal mechanism that facilitates all of the task scheduler’s processes.
If exploited, this vulnerability could lead an attacker to obtain system privileges, and while impact is contained to local systems only, the flaw has been allocated a CVSS score of medium severity at 6.8.
SandboxEscaper reported the local escalation flaw over social media with a link to a GitHub page containing the vulnerability’s proof-of-concept (PoC), which was later confirmed by a vulnerability analyst as a functional bug in a “fully-patched 64-bit Windows 10 system”.
SandboxEscaper added: “Enjoy the 0day (sic). It will get patched really fast. I guess I had fun today.”
Microsoft publicly acknowledged the vulnerability in a statement to The Register that said it would “proactively update impacted advises as soon as possible”, with the majority of the InfoSec community believing that a fix is likely to be released in the company’s next Patch Tuesday on 11 September.
The CERT Coordination Center has also said that it is “unaware of a practical solution to this problem”.
The Daily Swig has reached out to both SandboxEscaper and Microsoft for comment.