Welcome to WebmasterWorld Guest from 54.196.190.32

Forum Moderators: bill

Microsoft Windows New Zero-Day Vulnerability Disclosed

     
5:02 pm on Aug 29, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25657
votes: 784


There's a new zero-day vulnerability proof of concept exposed earlier this week for Windows, which has been confirmed by CERT/CC.
Microsoft is aware of the flaw, and, as yet, there are no known workarounds of patches.
The next Patch Tuesday is expected on September 11, 2018, unless an out-of-schedule patch is issued.

The Windows vulnerability is described as a local privilege escalation security flaw in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems.

If exploited, the zero-day bug permits local users to obtain system privileges.


[zdnet.com...]
10:04 pm on Aug 29, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 890


It appears this "vulnerability" is local, meaning the perp would need access to your machine to reset any permissions, which of course would be the same if this "vulnerability" didn't exist.
11:30 am on Aug 30, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2820
votes: 135


I do not see why that stops it being a vulnerability. If any user can get privileges they should not (i.e. admin or some subset of it) its a serious flaw on any multi user machine. So, its a big problem shared hosting servers, or any other setup where you do not want every user to be an admin.
6:48 pm on Aug 30, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 890


I do not see why that stops it being a vulnerability...
Is that what you thought I said?

Windows 10 is not "shared hosting servers" however yes, a flaw is a flaw whether the machine is a multi user environment or not.

One of my Windows 10 machines makes me sign-in a second time when I try to access a certain group of files. Another Windows 10 machine keeps telling me I don't have permission to access a directory, but if I get there another route there's no issue. I'd say these are flaws.
12:10 pm on Aug 31, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2820
votes: 135


It "likely" works on Windows server 2016 according to this: [doublepulsar.com...] which is one of the sources used by CERT: [kb.cert.org...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members