Zero-day vulnerabilities are potential security weak points found in programs after they’ve been released. Obviously, the program developers are unaware of the vulnerabilities, so it is often third parties who discover them and then share their findings so that they can be closed up by the developers in question. We’ve reported a couple of times on Google’s dedicated zero-day hunting team and the bugs they’ve found.
A new zero-day vulnerability has been discovered in Windows 10 that could lead to a malicious attack
According to a report by ZDNet, the new vulnerability was discovered by security researcher SandboxEscaper. The vulnerability relates to Windows Task Scheduler but is unable to take control of a victim’s computer alone. However, if it is used in conjunction with other nefarious methods it could prove very harmful to the victim’s online security. When done so, the vulnerability allows the hacker to run a specific .job file within Task Scheduler to grant admin privileges.
SandboxEscaper published the details and code of the vulnerability to GitHub, without notifying Microsoft. This means there is still no official word on when a patch for the exploit will be available. As to whether it is responsible behavior to publish a vulnerability, including code and demonstration video, online without first notifying the developers that could close it off is for you to decide. Hackers now know of this vulnerability and we now have to wait for Microsoft to patch it.
Researcher also released a demo video of the LPE zero-day in action. See below: pic.twitter.com/ZX8XWLQ74z
— Catalin Cimpanu (@campuscodi) May 22, 2019
This isn’t the first time SandboxEscaper has acted in this way either. According to the same ZDNet report, she released four other Windows zero-day vulnerabilities in the same manner last year. Three of these were patched by Microsoft without any problems but one of them was used in active malware campaigns for weeks after its release.
It took Microsoft between one or two months to patch the four vulnerabilities SandboxEscaper published in 2018 which means there will be a lot of pressure at Microsoft HQ, if the software giant wants to fix this latest vulnerability in time for its next scheduled patch on Tuesday, June 11. Microsoft has two weeks if it wants to hit that deadline.
So, who exactly is vulnerable to this potential exploit? It has only been confirmed so far on Windows 10 32-bit systems but it is believed, however, that, in theory at least, it could be adapted to work on all Windows systems all the way back to Windows XP and Server 2003.
When a hacker gains administrative privileges over a system it gives them complete access to everything on it. This potential vulnerability should be taken seriously, but all we can do for now is hope that Microsoft gets a patch out before hackers start trying to exploit it.
