A zero-day vulnerability has been discovered in Windows Task Scheduler and an exploit for the flaw has been published on GitHub.
The local privilege escalation vulnerability exists in the Advanced Local Procedure Call (ALPC) interface and if exploited would enable a malicious actor to elevate the access of malicious code from a limited USER role to a SYSTEM account with full access. The Task Scheduler API function SchRpcSetSecurity does not check permissions, which would allow any user, including a guest, to call the function and set file permissions locally.
The proof-of-concept code was released by security researcher SandboxEscaper, which would allow SYSTEM access to be gained on any Windows 64-bit system. All Windows 10 64-bit users are vulnerable to an attack and the exploit has been confirmed to work on all Windows Server 2016 systems. At present the exploit will not work on Windows 32 versions, although it may be possible to tweak the exploit code to affect other Windows versions.
Microsoft was not notified about the vulnerability prior to the PoC exploit being published, although the firm is aware of the flaw and will be proactively working on a fix for all affected devices.
At present the vulnerability remains unpatched and unless an emergency patch is released by Microsoft, it is unlikely to be addressed until Patch Tuesday on September 11. There is currently not thought to be a practical solution that can be implemented prior to the release of a patch to protect vulnerable users.
The flaw has been assigned a CVSSv3 base score of 6.8 – medium severity.