HomeWinBuzzer NewsTwitter User Discloses Zero-Day Windows Vulnerability on Twitter as Microsoft Rushes to...

Twitter User Discloses Zero-Day Windows Vulnerability on Twitter as Microsoft Rushes to Patch

A flaw in Task Scheduler lets attackers gain local privilege escalation. The zero-day Windows vulnerability appears to have been revealed without informing Microsoft, who is working quickly to fix the issue.

-

Twitter user and security researcher SandboxEscaper has revealed a zero-day Windows vulnerability. The flaw is present in the ALPC interface of Windows Task Scheduler and lets an attacker obtain system privileges.

With it, malware creators could get admin access in a reliable way, simply requiring the user to download a tainted application. told The Register that it would “proactively update impacted advices as soon as possible”, likely with the next Patch Tuesday on September 11.

The exploit came with a proof-of-concept on GitHub and has since been verified by CERT/CC analyst Will Dormann. It appears that SandboxEscaper was frustrated with Microsoft's practices, saying, “Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.”

In previous tweets, she indicated a desire to sell Windows bugs, citing the need for travel money and a general dissatisfaction with the industry. The files reveal an awareness of the vulnerability since May, and it appears to be possible in the latest, patched version of .

Not the First Bug Bounty Criticism

This isn't the first time Microsoft's sluggish bug bounty program has come back to bite it in the foot. In June, a security researcher highlighted how it took Microsoft 3 months to fix a bug that took Mozilla 3 days.

In it, he explains how Microsoft ignored him for 20 days before it confirmed it was working on a fix, and it took a further 14 days to get word on the bounty. SandboxEscaper indicates in a previous blog post that she failed to get credit for a previous exploit, CVE-2018-8314.

Whatever the reasons, the bug is in the wild now, and users should be extra cautious about the applications they download.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News