New Windows Zero-Day vulnerability disclosed on Twitter

Home » Microsoft

Reading time icon 1 min. read

Calendar icon Published on

by Surur Davids 

published on

Share this article

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

A frustrated security researcher has revealed a new zero-day bug for fully-patched Windows 10 PCs which would allow any software running on your PC to gain system-level privileges. In the now deleted tweet he said:

Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

— SandboxEscaper (@SandboxEscaper) August 27, 2018

The bug is a local exploit (ie the software needs to be running on your PC already) and involves the Windows task scheduler.

CERT has verified the bug and reports:

Description
Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges.

Impact
A local user may be able to gain elevated (SYSTEM) privileges.

Solution
The CERT/CC is currently unaware of a practical solution to this problem.

While CERT is not aware of a solution at present Microsoft, speaking to The Register,  said they will “proactively update impacted advices as soon as possible”, and will of course regularly distributed security fixes on Patch Tuesday.

Surur Davids

Surur Davids Shield

Smartphone Expert

Surur Davids is the founder of WMPoweruser which later became MSPoweruser.com. He's a smartphone expert with over a decade of experience.

User forum

0 messages