vSOC SPOT Report: Microsoft Scheduler Zero-Day
Overview
On August 27th, 2018 a security researcher released a working exploit on GitHub for a local privilege escalation (LPE) in the Microsoft Windows Scheduler. The zero-day exploit was publicly disclosed, through a Twitter post, which has been confirmed to allow full SYSTEM access on fully patched Windows 10 and Windows Server 2016 while other platforms are being assumed to be impacted.
Technical Overview
The exploit allows for the Microsoft Windows task scheduler to be utilized to gain local privilege escalation within the Advanced Local Procedure Call (APLC) interface, which allows a local user to obtain SYSTEM privileges. The exploit has been verified as to work on Windows 10 and Windows Server 2016 servers by multiple vulnerability analysts and vulnerability organizations such as CERT and Tenable.
Potential Impact
The verified impact of the exploit is the ability to escalate local privileges to SYSTEM level access.
Mitigation
At this time the best mitigation is to follow best practices in using a depth in defense strategy with malware mitigation, access control, network segmentation and general hardening guidelines for all operating systems.
Microsoft has been notified and has stated it will “proactively update impacted advices as soon as possible.”
Final Analysis
The release of this zero-day exploit, while serious, does require user interaction to click on a malicious file in order to allow the attacker to potentially gain local access to a system. Remind users to use caution and best practices when opening up any attachments and report anything that may be suspicious to the security organization to assist in detection efforts.
Organizations should also patch all Microsoft systems as soon as patches become available and continue to monitor any unusual behavior of its users that may indicate a compromised system.