ALPC tweet

A security researcher has published on Twitter details about a vulnerability in the Windows OS.

The vulnerability is a "local privilege escalation" issue that allows an attacker to elevate the access of malicious code from a limited USER role to an all-access SYSTEM account.

Will Dormann, an engineer of CERT/CC, has confirmed the vulnerability and has issued an official CERT/CC alert last night.

Dormann says the vulnerability resides in the Windows Task Scheduler, and more precisely in the Advanced Local Procedure Call (ALPC) interface.

The ALPC interface is a Windows-internal mechanism that works as an inter-process communication system. ALPC enables a client process running within the OS to ask a server process running within the same OS to provide some information or perform some action.

The researcher, who goes online by the name of SandboxEscaper, has released proof-of-concept (PoC) code on GitHub for exploiting the ALPC interface to gain SYSTEM access on a Windows system.

Malware authors will particularly be interested in this PoC, as it allows benign malware to gain admin access on targeted systems using an exploit more reliable than many existing methods.

SandboxEscaper has not notified Microsoft about the vulnerability, meaning there is no patch for this flaw. Currently, all Windows 64-bit users are vulnerable.

Microsoft's next security updates are scheduled for September 11, the date of the company's next Patch Tuesday.

Related Articles:

Windows Task Scheduler Zero Day Exploited by Malware

Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day

Microsoft September 2018 Patch Tuesday Fixes 16 Critical Vulnerabilities

Microsoft August 2018 Patch Tuesday Fixes 60 Security Flaws, Including Two Zero-Days

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug