August 28, 2018 at 12:59PM ZDNet Microsoft Windows zero-day vulnerability disclosed through Twitter | ZDNet
On Monday, Twitter user SandboxEscaper revealed the existence of the bug on the microblogging platform. As reported by the Register, the user said:
"Here is the alpc bug as 0day. I don't f**king care about life anymore. Neither do I ever again want to submit to MSFT anyway. F**k all of this shit."
The user linked to a page on GitHub which appears to contain a proof-of-concept (PoC) for the vulnerability.
Following the disclosure, on Tuesday, Will Dormann, vulnerability analyst at CERT/CC verified the bug, adding that the zero-day flaw works "well in a fully-patched 64-bit Windows 10 system."
The Windows vulnerability is described as a local privilege escalation security flaw in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems.
If exploited, the zero-day bug permits local users to obtain system privileges. As ALPC is a local system, the impact is limited, but the public disclosure of a zero-day is still likely a headache for the Redmond giant.
There are no known workarounds for the vulnerability, which has been awarded a CVSS score of 6.4 -- 6.8.
SandboxEscaper's tweet has since been deleted. However, Microsoft has acknowledged the zero-day flaw.
This is likely to take place on September 11, the next scheduled Microsoft Patch Tuesday, unless the firm decides to issue an out-of-schedule patch.
Update 16.28 BST: A Microsoft spokesperson told ZDNet:
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule."
Update 17.38 BST: It appears that the discoverer of the vulnerability may have attempted to sell or at least enquire about selling the zero-day vulnerability last month. A Reddit user with the same name, SandboxEscaper, posted a number of times on Reddit asking about "selling Windows 0days." However, at the time of writing, the posts have been deleted.
Previous and related coverage
An in-depth look into the incident reveals how the 112-year-old bank may have been swindled out of millions.
Thousands of spyware users and those being monitored have had their information leaked to the public domain.
Exploit of Microsoft's Cortana did not require any external code.
Latest preview release showcases Your Phone app for Android users, plus HTTP/2 and CUBIC networking.
Opinion: What if the security industry operated under a basic tenet: "First, do no harm?"