Over this month, Microsoft's Windows platform has been plagued by problems. Starting with Windows 10 October 2018 Update being paused, the OS has suffered various bugs. The latest is another zero-day discovered by the same security researcher who uncovered a previous vulnerability.
Researcher “SandboxEscaper” says the latest flaw affects the Microsoft Data Sharing (dssvc.dll). This is a Windows 10 service that manages data brokering for applications. A proof-of-concept (PoC) for the flaw has been published on GitHub.
Experts who have tested the PoC say the vulnerability gives attackers the ability to open more privileges on Windows 10 and access parts of the system. The code for the PoC also shows how bad actors could delete files which would usually need admin access to open.
Only Windows 10 seems to be affected by this flaw. This also includes the October 2018 Update, Microsoft's latest version of the OS.
This is the second zero-day vulnerability disclosed by SandboxEscaper in recent months. In August, the researcher showcased a flaw that would write garbage data to Windows. This latest problem is more dangerous as it deletes files, that's why we advise against downloading the PoC. However, Sandbox does point out this vulnerability would be a “pain to exploit” for malware writers.
Windows XP Problem
In some ways, this latest zero-day is similar to a flaw found in the aging Windows XP platform last week.
The exploit gives hackers means to move admin accounts to their own machines. Attackers could transfer admin privileges to Guest accounts to access more of the system.
“Regardless of the version since XP, Windows uses the Security Account Manager (SAM) to store the security descriptors of local users and built-in accounts. As is mentioned in How Security Principals Work, every account has an assigned RID which identifies it. Different from domain controllers, Windows workstations and servers will store most part of this data in the HKLM\SAM\SAM\Domains\Account\Users key, which requires SYSTEM privileges to be accessed.”