Windows 10 Task Scheduler Zero-Day Receives Limited Patch as More Windows Versions are Affected

Yesterday we reported on a recently-discovered zero-day flaw in the Windows 10 Taskscehduler ALPC interface. While Microsoft has yet to officially solve this problem, a third-party fix (a micropatch) has been issued. However, it is now known the vulnerability affects more Windows machines than originally thought. The vulnerability is within the Windows task scheduler API. The problem could allow an attacker to alter permissions and gain wider system access. To exploit the vulnerability, the attacker would need to be local and using the PC. The flaw is buried in the Windows 10 task scheduler and means the API function is not checking for permissions. Acros Security has issued a micropatch to mitigate the flaw. This fix stops any bad actors from exploiting the problem. Yesterday we revealed the vulnerability only affects Windows 10 64-bit. However, researchers have found the zero-day could be exploited on 32-bit machines with some minor changes. Not every Windows 10 users is going to receive the micropatch. That's because the fix is limited to 64-bit Windows 10 version 1803. More information will be provided tomorrow when Acros Security publishes a blog post on the fix.

Task Scheduler Flaw

As mentioned, the zero-day is a problem in the Advanced Local Procedure Call (ALPC). Because it is not checking for permission, an attacker could alter permissions to enter a system. “We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” according to a note issued Monday by CERT. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.” The task scheduler is a part of Windows 10 that allows users to set a schedule for program launching. Access to the SchRpcSetSecurity file allows anyone with local access to set file permissions. This file is open in Windows 10, giving potential access to bad actors.