Microsoft has reacted quickly when a Twitter user disclosed a zero-day vulnerability in the Windows OS. A Twitter user named SandboxEscaper tweeted about the bug by providing proof-of-concept code for the vulnerability. They also posted a rather dramatic message in their tweet.
“Here is the alpc bug as 0day. I don’t f**king care about life anymore. Neither do I ever again want to submit to MSFT anyway. F**k all of this shit.”
After a disclosure, Will Dormann, a vulnerability analyst at CERT/CC verified the bug was a zero-day flaw for the Windows Operating System. The vulnerability of the bug escalates the security flaw in the Windows OS due to the flaw in the platform’s task scheduler which was caused by handling the Advanced Local Procedure Call (ALPC) systems.
What are the effects of this Zero-Day?
This zero-day Windows vulnerability allows the users to get system privileges, as it involves the ALPC of the local system’s the scope of an attack is little but it is not gonna look small for a company like Microsoft. At present, there are no workarounds to this vulnerability and it has been awarded the CVSS Score of 6.4–6.8. The Sandbox Escaper’s tweet has been deleted but Microsoft has acknowledged the zero-day flaw. The patch for this flaw is going to be released on 11th next month.
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”
The hacker even tried to sell the vulnerability by posting ‘selling windows 0days’ for sale on Reddit multiple times but all the posts were removed.
Here is the link to the proof-of-concept to the vulnerability: GitHub
Take your time to comment on this article.