A skilled Microsoft bug hunter with a penchant for public disclosures via Twitter has openly floated a new Windows 10 zero-day flaw.
The researcher, who goes by the pseudonym SandboxEscaper, says the bug is present in the code handling advanced local procedure calls (ALPCs). It can be exploited by a malicious logged-in user or malware on an already infected computer to arbitrarily delete or tamper with anything from application .dll files to critical system components.
According to SandboxEscaper, the vulnerability is similar to the local privilege escalation flaw posted back in August, with the added twist of the attacker now being able to wipe files.
The researcher has provided a proof-of-concept on GitHub and tweeted out a link earlier this week – see below. WARNING: it will crash your Windows 10 PC into recovery mode, and require you to revert your filesystem back to a previous good backup. Don't touch it unless you know what you're doing.
Not the same bug I posted a while back, this doesn't write garbage to files but actually deletes them.. meaning you can delete application dll's and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.— SandboxEscaper (@SandboxEscaper) October 23, 2018
Arcos Security CEO Mitja Kolsek noted that the flaw relies abusing Data Sharing Service, a component that is present in Windows 10 and Server 2016, but not on Windows 7, suggesting older machines will not be vulnerable to the exploit. Arcos has produced an unofficial micropatch for Windows 10 to close the security hole.
Aaaand... we have a micropatch candidate on fully updated Windows 10 1803 https://t.co/9ci5f24GsX— Mitja Kolsek (@mkolsek) October 23, 2018
Those worried about attack can install the micropatch, though as SandboxEscaper noted, the flaw will be difficult for an attacker to successfully exploit in the wild.
That also likely means that Microsoft will opt not to issue an out-of-band update for the coding cockup, and wait until next month's Patch Tuesday to post a permanent fix for the vulnerability. We have asked Redmond for confirmation, just in case. ®