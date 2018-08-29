Fed-up IT staffer exposes Windows zero-day on Twitter
Microsoft is working on a fix but is probably less than happy
THINK YOU'RE HAVING A BAD DAY? Then put yourself in Microsoft shoes after a Windows zero-day flaw was revealed on Twitter rather than quietly to a security team.
The vulnerability in question was a local privilege escalation flaw and was revealed on Twitter alongside a proof of concept exploit by a tweeter going by the name of SandboxEscaper, who claimed to not want to submit a bug report to Microsoft ever again.
SandboxEscaper's tweet had a contained a link to the GitHub repository detailing the exploit and containing the proof of concept attack
Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.— SandboxEscaper (@SandboxEscaper) 27 August 2018
The legitimacy of the bug was confirmed by Will Dormann, a security analyst at CERT/CC, who tested it and noted it works with a fully-patched 64-bit version of Windows 10.
Dormann noted that there doesn't seem to be a "practical solution" to the problem, while a Microsoft spokesperson told The Register that Redmond's boffins are working on a fix.
I've confirmed that this works well in a fully-patched 64-bit Windows 10 system.— Will Dormann (@wdormann) 27 August 2018
LPE right to SYSTEM! https://t.co/My1IevbWbz
CERT/CC posted the results of a more formal investigation into the zero-day flaw, which noted that the flaw exploits a vulnerability in Windows' use of advanced local procedure call (ALPC).
"Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges," CERT/CC noted.
To exploit the bug a hacker would need to have some form of local access to a targeted PC. That could be achieved if an attacker was to trick a victim into downloading and running an app that could use local privilege escalation to gain elevated privileges over a system.
SandboxEscaper seemed to deactivate their account after revealing the zero-day flaw. But the account is now active again and included the tweet revealing the Windows bug.
Looking through SandboxEscaper's tweets and a blog linked to the account, it would appear that SandboxEscaper is fed up with working in IT security, and seemingly the daily 9-to-5 cycle of work, and wanted to sell a Windows bug to get enough money to travel.
Maybe if I somehow manage to find one good bug, I can sell i for alot of money so I don't have to do this stupid work anymore for a while. I think I'll do that.— SandboxEscaper (@SandboxEscaper) 27 August 2018
As such, the public reveal of the zero-day doesn't seem to be a direct move to cause Redmond a headache, but we suspect Microsoft won't be too chuffed with having a flaw in Windows shown off on Twitter before it got wind of it. µ
