Another Windows Zero Day Exploit Discovered

[AlphaAtlas]

Big Windows security holes aren't exactly rare. Now, it seems that another Zero Day vulnerability is out in the wild. GitHub user SandboxEscaper uploaded proof-of-concept code for the attack, and announced it in a rather colorful tweet. The exploit, which is related to the Windows Task Scheduler, allows a potential attacker to gain system access privileges. Microsoft says they are aware of the issue, and claims that a patch will be released next Tuesday.

ALPC, Advanced Local Procedure Call, restricts the impact somewhat, since it's a local bug: you have to be already logged in, or running code on, a machine to hijack it. However, it opens an all-too-familiar attack vector: if an attacker can get a target to download and run an app, local privilege escalation gets the malware out of the normal user context up to, in this case, system privileges.

 

[TheBuzzer]

So just because the person could not get a job the person release a 0day bug?

 

[DPI]

Note this is Windows 10 and Server 2016 only, not "Windows" overall. Another validation for staying put on 8.1 until MS spends a few more years fixing and patching all the beta code in 10.

Things like this undermine MS marketing about "10 is the securest windows evar". All the constant and untested "updates" just open new attack vectors. Windows 7 by contrast has been around a long time, remains relatively static and the exploits have been found and patched - it's already hardened.

 

[Galvin]

That's what MS doesn't understand. You want an OS that's stable. That doesn't get updated every few months. Who cares about fancy new toys in your OS. The worst thing is downtime. You just need an OS that works month after month. So you can play your games or do work without any interruptions.

 

[motomonkey]

That's what MS doesn't understand. You want an OS that's stable. That doesn't get updated every few months. Who cares about fancy new toys in your OS. The worst thing is downtime. You just need an OS that works month after month. So you can play your games or do work without any interruptions.

But you don’t make money on security patches....

 

[Lakados]

There are a lot of flaws in a lot of OS's that if you log in, run a program that contains viral code, supply the appropriate escalations to run the program then click yes enough times will infect your system.

 

[motomonkey]

There are a lot of flaws in a lot of OS's that if you log in, run a program that contains viral code, supply the appropriate escalations to run the program then click yes enough times will infect your system.

Yeah, Microsoft would have you believe typing

sudo dd if=/dev/zero of=/dev/sda bs=1M

Is a security flaw in Linux “Every OS has security flaws”.

 

[socK]

There are a lot of flaws in a lot of OS's that if you log in, run a program that contains viral code, supply the appropriate escalations to run the program then click yes enough times will infect your system.

Privilege escalation is a huge risk and one reason why in a domain environment especially, you need to have multiple logins that have a clear separation of privileges.

A user gaining local administrator alone is already a risk because they can set shit up like scheduled tasks to run under a privileged context. Then helpdesk logs into that compromised machine and at that point, the attacker may have an account that has admin on even more machines.

Don't even need to get the password, sometimes you can just steal the ticket and effectively impersonate them. This can potentially even happen just by a drive being mapped. Windows 10 has multiple improvements in this area like Credential Guard to mitigate this type of attack.

Then you've spread to more machines, maybe if you're lucky you get another account, now you have access on some servers. Rince, repeat, if they have domain admin, that's game over.

 

[Lakados]

Privilege escalation is a huge risk and one reason why in a domain environment especially, you need to have multiple logins that have a clear separation of privileges.

A user gaining local administrator alone is already a risk because they can set shit up like scheduled tasks to run under a privileged context. Then helpdesk logs into that compromised machine and at that point, the attacker may have an account that has admin on even more machines.

Don't even need to get the password, sometimes you can just steal the ticket and effectively impersonate them. This can potentially even happen just by a drive being mapped. Windows 10 has multiple improvements in this area like Credential Guard to mitigate this type of attack.

Then you've spread to more machines, maybe if you're lucky you get another account, now you have access on some servers. Rince, repeat, if they have domain admin, that's game over.

I know, but just about all OS’es have this bug in one form or another. That’s why you need to kill off the ability for most to install things to begin with. Over here anybody below Power User can’t install anything, it gets killed before it starts because I can’t trust them to not be click happy. Hell the majority of my users run as a guest privilege and their profiles are wiped on log off.

 

[Lakados]

Yeah, Microsoft would have you believe typing

sudo dd if=/dev/zero of=/dev/sda bs=1M

Is a security flaw in Linux “Every OS has security flaws”.

If the attacker has physical access it’s game over, in this case the attacker just doesn’t know they are the attacker.

Much better to just put rules in place preventing access to sudo from users below a certain user level to begin with.
Yes it’s still a bug but the correct security measures before hand render it almost useless.

 

[trparky]

Note this is Windows 10 and Server 2016 only, not "Windows" overall. Another validation for staying put on 8.1 until MS spends a few more years fixing and patching all the beta code in 10.

Things like this undermine MS marketing about "10 is the securest windows evar". All the constant and untested "updates" just open new attack vectors. Windows 7 by contrast has been around a long time, remains relatively static and the exploits have been found and patched - it's already hardened.

I'm in no way defending Microsoft here but a majority of the code that's in Windows 10 is the same code in Windows 8.1 and Windows 7. The task scheduler code really hasn't changed since Windows 7. Could this exploit work on Windows 7? I read somewhere that yes, it will work; although with a couple of tweaks to the exploit payload since there are slight changes involved between 7 and 10.

 

[DPI]

I'm in no way defending Microsoft here but a majority of the code that's in Windows 10 is the same code in Windows 8.1 and Windows 7. The task scheduler code really hasn't changed since Windows 7. Could this exploit work on Windows 7? I read somewhere that yes, it will work; although with a couple of tweaks to the exploit payload since there are slight changes involved between 7 and 10.

Sorry but you can't have it both ways (and by you I mean MS and it's collective shills, not you specifically).

Can't on one hand use scare tactics on unsuspecting users "better install Windows 10 if you want the bestest security - you want to be safe don't you? A lot of bad guys out there", then when busted, retreat to "well it's just the same code as 7 and 8.1".

Gimme a break.

 

[trparky]

I don't work for Microsoft, I wish I did though.

 

[Biznatch]

That's what MS doesn't understand. You want an OS that's stable. That doesn't get updated every few months. Who cares about fancy new toys in your OS. The worst thing is downtime. You just need an OS that works month after month. So you can play your games or do work without any interruptions.

And this is what end users don't understand. There is NO os that will run for months without requiring a patch that is also secure. NONE. They are always trying to keep up with new vulnerabilities coming out. If you think linux is any better, you haven't been responsible for patching linux servers. Ubuntu is the worst as there are multiple high/critical patches released weekly. You can fully patch a box, run a vulnerability scan on it a couple days later and already show it missing multiple patches. CentOS and redhat are better, but you are still patching weekly/bi-weekly. And yes, patches also break stuff on linux boxes. That isn't a problem unique to windows.


So would you rather have 'downtime' for 30 minutes once a month to patch critical security vulnerabilties, or spend FAR more time rebuilding your infected machine and monitoring for credential/identity theft? You sound like a corporate IT/Security teams' worst nightmare.

 

[wizzi01]

Note this is Windows 10 and Server 2016 only, not "Windows" overall. Another validation for staying put on 8.1 until MS spends a few more years fixing and patching all the beta code in 10.

Things like this undermine MS marketing about "10 is the securest windows evar". All the constant and untested "updates" just open new attack vectors. Windows 7 by contrast has been around a long time, remains relatively static and the exploits have been found and patched - it's already hardened.

Article doesn't even say it was tested against windows 8.1 and 7 so you are assuming a lot.

 

[Sycraft]

And this is what end users don't understand. There is NO os that will run for months without requiring a patch that is also secure. NONE. They are always trying to keep up with new vulnerabilities coming out. If you think linux is any better, you haven't been responsible for patching linux servers. Ubuntu is the worst as there are multiple high/critical patches released weekly. You can fully patch a box, run a vulnerability scan on it a couple days later and already show it missing multiple patches. CentOS and redhat are better, but you are still patching weekly/bi-weekly. And yes, patches also break stuff on linux boxes. That isn't a problem unique to windows.


So would you rather have 'downtime' for 30 minutes once a month to patch critical security vulnerabilties, or spend FAR more time rebuilding your infected machine and monitoring for credential/identity theft? You sound like a corporate IT/Security teams' worst nightmare.

Yep. So that leads people to say "But what about this thing that never goes down?" Well there's one of two ways (often both) that it is done:

1) Redundancy. You have more systems than you actually need that balance between themselves and when you update, it happens one at a time. That way the system is available from the user perspective, even though the nodes are going down and being upgraded. Also helps reliability in the event of component failure. As an example look at NetApp FAS/AFF storage arrays. Everything is redundant: Power, network, processing, SAS lines, etc. Any component can fail and it won't take things down. Also means you can do a CA upgrade. You have a node do takeover, upgrade the other node, then do it again the opposite way. Doesn't mean they don't get updates though. OnTAP (the NetApp OS) gets patches often.

2) Controlled access. For systems you can't update as often, or don't want to for other reasons, or just ones that are highly critical/secure you make sure that access to them is only done in defined ways so that exploits are not likely to be possible. Users don't connect directly to them, they connect to some front end system that then connects to a private network that connects to an application firewall (system that filters input specific to an application basically) that then connects to server that has the app on it.

But this idea that only Windows has to get patched is just silly. Go look at code for anything, and you see patches all the time. If it is something that people can get it, it is vulnerable to security problems and exploits WILL get found. You have to have a plan for patching because if you don't, you are getting owned and that is where the big downtime comes in. If you need continuous availability, you do it via redundancy, not via refusing to patch.

 

[Galvin]

And this is what end users don't understand. There is NO os that will run for months without requiring a patch that is also secure. NONE. They are always trying to keep up with new vulnerabilities coming out. If you think linux is any better, you haven't been responsible for patching linux servers. Ubuntu is the worst as there are multiple high/critical patches released weekly. You can fully patch a box, run a vulnerability scan on it a couple days later and already show it missing multiple patches. CentOS and redhat are better, but you are still patching weekly/bi-weekly. And yes, patches also break stuff on linux boxes. That isn't a problem unique to windows.


So would you rather have 'downtime' for 30 minutes once a month to patch critical security vulnerabilties, or spend FAR more time rebuilding your infected machine and monitoring for credential/identity theft? You sound like a corporate IT/Security teams' worst nightmare.

The problem is MS is adding new toys to the OS all the time. Opening it up to vulnerabilities. Instead of just patching the base code like you said with security patches. What is it 2x a year windows 10 is basically a new OS that has to be reinstalled or installed on top of its self leaving you with a old windows folder. This just makes it harder to keep the OS secure when you're adding all kinds of crap each year.

 

[Sycraft]

The problem is MS is adding new toys to the OS all the time. Opening it up to vulnerabilities. Instead of just patching the base code like you said with security patches. What is it 2x a year windows 10 is basically a new OS that has to be reinstalled or installed on top of its self leaving you with a old windows folder. This just makes it harder to keep the OS secure when you're adding all kinds of crap each year.

That's also pretty normal. People, including enterprises, don't want code that sits stale for years. Things change, new features are useful. Again I'll point to NetApp and their OnTAP OS since they are huge in the enterprise storage market. They release a new feature update of OnTAP twice a year now. Every 6ish months, there's a new version with a host of new features.

Also new features can very well help security issues. When you redo code and improve features, you can design things in a more modern, secure, fashion. As a simple example look at the CIFS exploit. It only worked on version 1, version 2 and up were immune. So the new features in it made it more secure, had the old features been disabled.

 

[trparky]

Yet you're the first ones to jump for joy when Google adds new stuff to Android every year, the same goes for Apple people when they release new stuff in iOS. People expect yearly software updates now, it's the name of the game these days.