Microsoft Windows zero-day vulnerability disclosed through Twitter

Updated: There is no known workaround for the security flaw.
Written by Charlie Osborne, Contributing Writer

Microsoft has quickly reacted to the disclosure of a previously unknown zero-day vulnerability in the Windows operating system.

On Monday, Twitter user SandboxEscaper revealed the existence of the bug on the microblogging platform. As reported by the Register, the user said:

"Here is the alpc bug as 0day. I don't f**king care about life anymore. Neither do I ever again want to submit to MSFT anyway. F**k all of this shit."

The user linked to a page on GitHub which appears to contain a proof-of-concept (PoC) for the vulnerability.

TechRepublic: Do you miss Windows 95? You can now download it as a free app

Following the disclosure, on Tuesday, Will Dormann, vulnerability analyst at CERT/CC verified the bug, adding that the zero-day flaw works "well in a fully-patched 64-bit Windows 10 system."

The Windows vulnerability is described as a local privilege escalation security flaw in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems.

If exploited, the zero-day bug permits local users to obtain system privileges. As ALPC is a local system, the impact is limited, but the public disclosure of a zero-day is still likely a headache for the Redmond giant.

CNET: Here's what happened to Microsoft's Xbox VR gaming headset

There are no known workarounds for the vulnerability, which has been awarded a CVSS score of 6.4 -- 6.8.

SandboxEscaper's tweet has since been deleted. However, Microsoft has acknowledged the zero-day flaw.

See also: Critical remote code execution flaw in Apache Struts exposes the enterprise to attack

This is likely to take place on September 11, the next scheduled Microsoft Patch Tuesday, unless the firm decides to issue an out-of-schedule patch.

Update 16.28 BST: A Microsoft spokesperson told ZDNet:

"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule."

Update 17.38 BST: It appears that the discoverer of the vulnerability may have attempted to sell or at least inquire about selling the zero-day vulnerability last month. A Reddit user with the same name, SandboxEscaper, posted a number of times on Reddit asking about "selling Windows 0days." However, at the time of writing, the posts have been deleted.

29.8, 11.29BST: The original tweet sent by SandboxEscaper appears to have been restored. The user also tweeted:


15 amazing tech gadgets you need for your home office

Previous and related coverage

How hackers managed to steal $13.5 million in Cosmos bank heist

An in-depth look into the incident reveals how the 112-year-old bank may have been swindled out of millions.

Spyware firm SpyFone leaves customer data, recordings exposed online

Thousands of spyware users and those being monitored have had their information leaked to the public domain.

Open, Cortana: Voice assistant used to bypass locked Windows 10 machine security

Exploit of Microsoft's Cortana did not require any external code.

Windows 10: New Android app, improved security and bug fixes in latest Insider build

Latest preview release showcases Your Phone app for Android users, plus HTTP/2 and CUBIC networking.

Security vendors need to stop doing more harm than good

Opinion: What if the security industry operated under a basic tenet: "First, do no harm?"

Editorial standards