Windows 10 May Update hit by major zero-day vulnerability
Microsoft recently rolled out a new Windows 10 feature update. Apparently, the company ignored a major security flaw that existed in Windows 10.
The flaw was spotted in advanced Task Scheduler settings. This vulnerability allows hackers to get complete administrative privileges over your files.
A researcher named SandboxEscaper first spotted the vulnerability and posted it online. The researcher took it to Github and posted the zero-day vulnerability on the platform.
As of now, Microsoft didn’t acknowledge the security flaw within the Task Scheduler. Once the company acknowledges the bug, a security patch will be available very soon.
Surprisingly, a Twitter user revealed the zero-day vulnerability targets those Windows 10 system that recently installed Windows 10 v1903. Furthermore, the user stated that anyone can easily exploit the vulnerability.
I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system. A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user.
Works quickly, and 100% of the time in my testing. pic.twitter.com/5C73UzRqQk
— Will Dormann (@wdormann) May 21, 2019
SandboxEscaper also released a video to demonstrate the proof-of-concept (POC) attack.
SandboxEscaper just released this video as well as the POC for a Windows 10 priv esc pic.twitter.com/IZZzVFOBZc
— Chase Dardaman (@CharlesDardaman) May 21, 2019
Notably, the researcher further claims to identify 4 additional flaws in the Windows 10 OS. One of these vulnerabilities allows the exploiter to bypass the security of sandbox. Microsoft needs to act fast and patch this vulnerability before it causes some serious damage.
SandboxEscaper previously spotted several zero-day vulnerabilities. However, the user never informed Microsoft about the issues before releasing them.
Reddit users wanted her to first notify Microsoft about the issues.
Scary! Is there a reason she released it publicly? Wish she would at least notify Microsoft and give them a chance. At least these are just LPEs.
As far as the recent vulnerability is concerned, Microsoft is expected to release the necessary patches on Patch Tuesday.
RELATED ARTICLES YOU NEED TO CHECK OUT:
- Yet another Windows zero-day vulnerability found by Kaspersky
- 5 of the best antivirus with website blocker/ web filtering