Twitter user and security researcher SandboxEscaper has revealed a zero-day Windows vulnerability. The flaw is present in the ALPC interface of Windows Task Scheduler and lets an attacker obtain system privileges.
With it, malware creators could get admin access in a reliable way, simply requiring the user to download a tainted application. Microsoft told The Register that it would “proactively update impacted advices as soon as possible”, likely with the next Patch Tuesday on September 11.
The exploit came with a proof-of-concept on GitHub and has since been verified by CERT/CC analyst Will Dormann. It appears that SandboxEscaper was frustrated with Microsoft's practices, saying, “Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.”
In previous tweets, she indicated a desire to sell Windows bugs, citing the need for travel money and a general dissatisfaction with the industry. The files reveal an awareness of the vulnerability since May, and it appears to be possible in the latest, patched version of Windows 10.
Not the First Bug Bounty Criticism
This isn't the first time Microsoft's sluggish bug bounty program has come back to bite it in the foot. In June, a security researcher highlighted how it took Microsoft 3 months to fix a bug that took Mozilla 3 days.
In it, he explains how Microsoft ignored him for 20 days before it confirmed it was working on a fix, and it took a further 14 days to get word on the bounty. SandboxEscaper indicates in a previous blog post that she failed to get credit for a previous exploit, CVE-2018-8314.
Whatever the reasons, the bug is in the wild now, and users should be extra cautious about the applications they download.