Last week, Twitter user and security researcher @SandboxEscaper published news of a zero-day vulnerability in Windows 10. The post was accompanied by a Proof of Concept (PoC). As expected, hackers have already started to abuse the bug to go through Windows’ security.
Where is the flaw?
The bug revealed by SandboxEscaper was found in the Advanced Local Procedure Call (ALPC) interface of the Windows 7 and Windows 10 Task Schedulers that allows an attacker to access administrative rights even if the harmful executable file was launched by a limited Windows user account.
SandboxEscaper released the Proof of Concept source code along with the bug. This meant anyone can alter and remodel that code and launch an attack against the Windows system. This attack can evade security solutions used by different machines including antivirus scans.
A group called PowerPool did exactly what was expected when the Proof of Concept source code was released along with the bug. They altered that original PoC source code, recompiled it and then used it to change Google Chrome’s auto-updater executable to its own harmful file. This allowed them to gain System privileges on the victims’ systems. The malicious file is capable of performing tasks like executing commands, uploading and downloading of files, killing processes, as well as listing folders.
The initial phase of the PowerPool infection was initiated by a harmful attachment sent in an email to the victim. That allowed PowerPool group to collect basic data and also let them take screenshots of the victims’ PCs.
Microsoft was completely unprepared for the revelation of the bug by SandboxEscaper and has said that a patch can be expected on the next Update Tuesday on September 11.
Some damage reduction methods were published by CERT/CC but they haven’t been officially approved by Microsoft yet.