Unpatched Windows bug published on Twitter
You can say what you want – Windows still has the most users worldwide. Be it Windows 7 or Windows 10, about 80% apparently prefer Microsoft’s OS. And why not? It nice looking, easy to use, has a wide variety of compatible programs and games and is well maintained.
That said it is not without its issues: There are enough privacy concerns, complaints about Microsoft’s patch policy and more going around online. Due to its position, it is an OS that is also uniquely interesting for hackers and security researchers alike. That’s why regular security patches to fix vulnerabilities and news concerning them should come as no surprise to anyone. Well, mostly.
Twitter bug rant
The latest Windows bug was published on Twitter and looks a lot like a rather colorful rant.
Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.
— SandboxEscaper (@SandboxEscaper) August 27, 2018
The link in the tweet is linked to a page on Github that seems to include a proof-of-concept of the vulnerability. Shortly after Will Dormann a vulnerability analyst at CERT/CC, verified that it indeed is a bug. According to him, it works well in a fully-patched 64-bit Windows 10 system.
I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM! https://t.co/My1IevbWbz
— Will Dormann (@wdormann) 27. August 2018
What does the vulnerability do?
According to the security researcher, the vulnerability is a local privilege escalation. That means that someone can gain full admin privileges on any Windows PC. Since the bug is apparently in the ALPC, the Advanced Local Procedure Call, the impact will not be huge: It only can be exploited on a local system.
Right now there is no known fix for the bug but according to The Register Microsoft will update impacted systems and parts of the OS as soon as possible.
This article is also available in: German