Critical Windows zero-day security flaw revealed anonymously on Twitter

Microsoft working on a fix to the verified security flaw

A security researcher disgruntled with dealing with Microsoft's bug-reporting process has instead exposed a critical Windows zero-day security flaw on Twitter.

The vulnerability, a local privilege escalation flaw, was revealed by the researcher on Twitter alongside a proof of concept exploit under an account name of SandboxEscaper. The individual claimed they never want to submit a bug report to Microsoft ever again - indicating that they've done so in the past.

The tweet also contained a link to the GitHub repository detailing the exploit and containing the proof of concept attack.

https://twitter.com/SandboxEscaper/status/1034125195148255235?ref\\_src=twsrc%5Etfw

The legitimacy of the bug was confirmed by Will Dormann, a security analyst at CERT/CC, who tested it and noted it works with a fully-patched 64-bit version of Windows 10.

Dormann added that there doesn't seem to be a "practical solution" to the problem at the moment, while a Microsoft spokesperson told The Register that the company is working on a fix.

https://twitter.com/wdormann/status/1034201023278198784?ref\\_src=twsrc%5Etfw

CERT/CC posted the results of a more formal investigation into the zero-day flaw, which noted that the flaw exploits a vulnerability in Windows' use of advanced local procedure call (ALPC).

"Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges," CERT/CC noted.

To exploit the bug a hacker would need to have some form of local access to a targeted PC. That could be achieved if an attacker was to trick a victim into downloading and running an app that could use local privilege escalation to gain elevated privileges over a system.

SandboxEscaper deactivated their account after revealing the zero-day flaw. But the account is now active again and included the tweet revealing the Windows bug.

Looking through SandboxEscaper's tweets and a blog linked to the account, it would appear that SandboxEscaper is fed up with working in IT security, and seemingly the daily 9-to-5 cycle of work, and wanted to sell a Windows bug to get enough money to travel.

https://twitter.com/SandboxEscaper/status/1034108260050190338?ref\\_src=twsrc%5Etfw

Presumably, as Microsoft's bug bounty programme isn't as generous as hoped the individual has chosen to throw out their bugs and security flaws for free instead. They subsequently backtracked somewhat.

https://twitter.com/SandboxEscaper/status/1034710480512802817?ref\\_src=twsrc%5Etfw

Computing's Cloud & Infrastructure Summit Live returns on Wednesday 19 September, featuring panel discussions with end-users, strategic and technical streams and a session with guest speaker Inma Martinez. The event is FREE to qualifying IT leaders and senior IT pros, but places are going fast. Register now!