BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Windows 0-Day ALPC Bug Exploit Patched By Third Party Ahead Of Microsoft's Official Update

Following
This article is more than 5 years old.

A couple of days back, I wrote about a Security Researcher, that goes by the handle SandboxEscaper, that disclosed a serious Windows bug and proof of concept code to exploit it via Twitter. The bug was found in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface and the proof of concept code could be used to exploit it to allow a local user to gain system level privileges on Windows 10 x64 systems. That code was later validated and then modified to work on 32-bit Windows 10 systems and Windows Server 2016 as well.

Mostly because it was a local bug that required a user to actually be logged in and execute some code, and not a major exploit that could be leveraged remotely, Microsoft didn’t feel the need to release an out-of-band update to fix the issue and instead planned to release a patch during its normal “Patch Tuesday” updates.

ACROS Security seems to have beaten Microsoft to the punch, however. ACROS identified a couple of instances where Microsoft’s code made impersonation calls in the wrong order during some permission-setting functions (this is a vastly simplified explanation) and by remedying those issues, the proof of concept code no longer worked.

The 0PATCH Agent.

ACROS

The ACROS blog explains, “What we did here was remove the premature RpcRevertToSelf call and insert a replacement RpcRevertToSelf call to the code block following the offending call. While this block has many other branches leading to it, we checked that these are not impersonated which means our inserted call won't erroneously prematurely revert some other impersonation.”

ACROS releases its “micro-patches” via its 0PATCH agent. It works by patching running processes using function hooks without any downtime or reboots. The service requires signing up for an account and running an agent on a system (somewhat akin to Anti-Malware or Anti-Virus software), but if you don’t want to wait for Microsoft to fix the issue it appears to be a viable fix that can be easily disabled when the official patch is released.