Prolific Hacker SandboxEscaper Demos Windows 10 Zero-Day Exploit
Since 2015, Microsoft casually declared that Windows 10 is the last version of Windows, as Redmond geared-up on making their operating system a software-as-a-service (SAAS). It will forever be marketed as Windows 10 with two major yearly updates containing new features and enhancements, to the delight or annoyance of the users. Of course, as a dynamically changing operating system since 2015 (the 2015 Windows 10 was dramatically a very different animal to 2019’s Windows 10), the introduction of new features inadvertently comes with new bugs to exploit and discovery of flaws that weren’t existing before the update surfaces for cybercriminals to take advantage of.
Recently, a zero-day exploit proof-of-concept has been publicly released by a researcher with an alias of “SandboxEscaper”, detailing the weakness of the Windows 10 operating system. Publicly demonstrated through a GitHub page, the zero-day flaw is a remote code privilege escalation bug that may allow an attacker to take control of the vulnerable Windows 10 computers without any user’s knowledge. Taking advantage of the longtime vulnerability residing in the Task Scheduler service, SandboxEscaper was able to tap on SchRpcRegisterTask, a permission-less register by-default to create access control list permissions. That means any executable that uses a malformed Task Scheduler task using SchRpcRegisterTask can run it with system-privilege (administrator access).
This gives the attackers full control of the computer if they execute a relevant executable that has control to the PC, like Windows Explorer, Regedit or any System Tools available to the system administrator like the Managed Computer Window. The flaw clearly can be exploited under both 32-bit and 64-bit versions of Windows 10, including its server counterparts, Windows Server 2019 and its immediate predecessor Server 2016.
Hackers and researchers often keep zero-day vulnerabilities secret
SandboxEscaper also teased about at least four more zero-day exploits against Windows that she/he knows of but decided to keep secret for the time being. He hinted that 3 out of 4 were local privilege escalation bugs, while the other one is a sandbox escape bug. Microsoft has yet to fix the bug that SandboxEscaper revealed, as Redmond just issued its patch Tuesday last May 14, 2019. Hence, anyone interested in taking advantage of the Scheduled Task flaw may weaponize it against Windows 10 users until Microsoft finally issues an out-of-cycle patch to fix the vulnerability.
Unless Microsoft flexes its muscles again of issuing an out-of-cycle patch, expect the fix on the next update Tuesday, most probably on June 11, 2019.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.