New zero-day vulnerability found in Windows 10, no currently known fix

By Dan Thorp-Lancaster
published

Microsoft says it will "proactively update impacted devices as soon as possible."

A zero-day vulnerability that could give an attacker escalated privileges on Windows systems was disclosed today. Initially revealed by Twitter user SandboxEscaper, who posted a proof-of-concept to their GitHub, the vulnerability has since been verified by US-CERT.

According to US-CERT, the exploit is rooted in the Windows task scheduler, and it has been confirmed to work on 64-bit Windows 10 and Windows Server 2016 systems. From US-CERT:

Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges.

There's no known solution to the problem yet, and it currently works on fully-patched systems. However, Microsoft said in a statement to The Register that it will "proactively update impacted devices as soon as possible." A fix is most likely to arrive during Microsoft's next Patch Tuesday cycle, scheduled for September 11.

Dan Thorp-Lancaster
Dan Thorp-Lancaster

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

22 Comments
  • Back to Win 8.1 pro until this flaw is cured!
  • Like everyone has time to reinstall another OS every time a flaw is discovered!!!!
  • Dual booting is the solution...
  • Why do you assume its not a flaw in 8.1 as well?
  • It's not tested for 8.1 yet...
  • If you read it on Microsoft's blog page, then this affects all computers on Windows 7, 8, 8.1, and 10.
    .
    So your logic of going back to Win8.1 will not help you at all
  • Maybe he meant 3.1.
  • Nah, IBM's PS/2 would be a safer bet lol. /sarcasm
  • How about IBM PC-DOS?
  • I appreciate that it's sarcasm but PS/2 was an architecture not an OS. Just thought I would point that out ;-D
  • Lol, that was the point 🤣. It's useless without any sort of o/s so much safer to use haha.
  • Link to the blog?
  • Yah man. Win 8.1 to the rescue.
  • Not really considering this affects ALL versions of Windows as far back as 7 so Vista would be a safer bet.
  • This has probably been around for a while, and had it not been made public, no one would even know about it, let alone be worried. The chances of actually getting a compromised system is very low, and as I said, you'd probably go years and never be hit with it. It's only now it's been made public that it's suddenly a huge problem for everyone.
  • Yeah. "The sky is falling!" Like 8.1 doesn't have its undiscovered or undisclosed vulnerabilities too. Why not back to 95. There's an app for that. :)
  • Windows 386
  • :))))) wait for Microshaft to fix this...next year
  • Another prime example why having a robust firewall alongside a antivirus is necessary in this day and age.
  • Back to Windows 95...still runs...browser can still use some websites...lol
  • There, quite literally, is an app for that.
  • "... next Patch Tuesday cycle, scheduled for September 11." It sounds like...