BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

New Windows 10 Security Exploit Can Read All Your Files -- What You Need To Know

Following
This article is more than 4 years old.

A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it's unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?

What just happened?

A security researcher going by the name of SandboxEscaper has posted a proof of concept demo for a Windows zero-day exploit online. This local privilege escalation (LPE) exploit is the fifth in a series of zero-days that SandboxEscaper has dropped into the Windows environment over the last year. The latest proof of concept doesn't enable anyone to actually access your computer, but it does provide a method by which those who do so can upgrade their system privileges to an administrator level and in so doing grant them carte blanche to your data.

SandboxEscaper has previous for using the Windows Task Scheduler tool for nefarious purposes and this latest zero-day is no exception. It uses it to import and run a malformed task file that exploits a vulnerability in the way that Task Scheduler handles discretionary access control list (DACL) rights for such files without DACL permissions; giving full control to any user rather than just the system admin. Will Dormann, a vulnerability analyst at CERT/CC, explained in a tweet that the exploit "works as-is on a fully patched Windows 10 x86 system... quickly, and 100% of the time in my testing." It also works, according to Dormann, on a 64-bit Windows 10 computer if "you are not afraid to compile your own code."

What was the motivation?

As mentioned, SandboxEscaper has a reputation for releasing exploit code without any prior disclosure to Microsoft. Reporting on one of these last year, Forbes contributor Marco Chiappetta suggested that "depression may have been a factor in SandboxEscaper's decision to post the exploit" and quoted her as saying "I screwed up, not MSFT (they are actually a cool company). Depression sucks." However, in her latest blog postings announcing the new exploit, SandboxEscaper writes "I don't owe society a single thing. Just want to get rich and give you f*cktards in the west the middle finger. I'm donating all my work to enemies of the U.S." Make of that what you will. The timing is also interesting as it comes straight after the monthly Microsoft update cycle which means it leaves the window of exploit opportunity open until June 11 when the next cycle is scheduled.

Is there worse to come?

It appears that this isn't going to be the last we hear from SandboxEscaper either. In that same series of blog posts, she says that she has four more unpatched zero-days. "If any non-western people want to buy LPEs," she writes, "Won't sell for less than 60k." Ian Thornton-Trump, head of security at AmTrust International, told me during a conversation this morning that as far as the economics of selling exploits are concerned it's "kind of a sh*thead move." You can understand why as Microsoft is known for having a pretty generous bug bounty program which enables researchers to cash in on their findings without taking the criminal route to riches. "It's sad that folks burn the opportunity to contribute to the information security community," Thornton-Trump said.

What can you do to mitigate the risk?

Given that it is unlikely, based on responses to the previous exploits released by SandboxEscaper, that we will see any patch to fix this zero-day until the next Patch Tuesday on June 11, what can you do to mitigate the risk? "I will tell you that anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect," Thornton-Trump advises, "probably even by Windows Defender." "Of course, that doesn't mean it will be an impotent threat and zero-day attacks must always be considered a very real and present danger to data. That said, Thornton-Trump isn't panicking over this as most enterprise endpoints have many compensating security controls deployed and those should provide adequate protection." Home users are advised to ensure their security software is up to date and take care to prevent attackers from gaining access to their systems in the first place...

Follow me on Twitter or LinkedInCheck out my website or some of my other work here