Dr. Erdal Ozkaya
Search
  • Home
  • Cybersecurity, News, Security Review / Reports
  • New Windows 10 Security Exploit Can Read All Your Files – What You Need To Know

New Windows 10 Security Exploit Can Read All Your Files – What You Need To Know

Security Exploit
Erdal2021-06-29T07:09:18-04:00

New Windows 10 Security Exploit

A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?

In this leak, Exploit published for Task Scheduler vulnerability let attackers perform a local privilege escalation (LPE) and gain complete control of fully patched current version of Windows 10.

Sanboxescaper concentrated with the Task Scheduler and exploited the bug in Windows 10 by calling an RPC* Function “SchRpcRegisterTask“ ( a method registers a task with the server) which is exposed by the task scheduler service.

What should you do!

Table of Contents

  • What should you do!
  • What should you do at home ?
  • Technical Details 
  • What just happened?
  • What was the motivation?
  • Is there worse to come?
  • What can you do to mitigate the risk?

1. Don’t panic! As anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect
2. Most of the enterprises have MANY ADDITIONAL SECURITY CONTROLS /behaviour monitoring which will keep you “safe” 

What should you do at home ?

Ensure your security software is up to date and try do not use “cracked software” , try to stay away from unsecure web sites and make sure to not enable macros that you have received in a e-mail ( beware of phishing attacks ) 

*Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.

645364456345 19

Technical Details 

Base on SandboxEscaper  tasks would be placed in c:\\windows\\tasks in the “.job” file format. If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”

Attackers can run a malformed .job file that exploits a flaw in the way the Task Scheduler process changes DACL (discretionary access control list) permissions for an individual file. 

When exploited, the vulnerability can elevate a hacker’s low-privileged account to admin access, which, in turn, grants the intruder access over the entire system

SandboxEscaper also warned that She found more Zero-day’s and it’s coming on the way.

“Oh, and I have 4 more unpatched bugs where that one came from.

3 LPEs (all gaining code exec as a system, not lame delete bugs or whatever), and one sandbox escape.”

A security researcher with a history of releasing zero-day exploits for the Windows operating system has struck again; this time just days after the latest Patch Tuesday security updates were rolled out. Which means that it’s unlikely there will be a fix for Windows 10 users until June 11 at the earliest. So what did SandboxEscaper just drop into the Windows threatscape, what are the risks and is there worse to come?

What just happened?

A security researcher going by the name of SandboxEscaper has posted a proof of concept demo for a Windows zero-day exploit online. This local privilege escalation (LPE) exploit is the fifth in a series of zero-days that SandboxEscaper has dropped into the Windows environment over the last year. The latest proof of concept doesn’t enable anyone to actually access your computer, but it does provide a method by which those who do so can upgrade their system privileges to an administrator level and in so doing grant them carte blanche to your data.

SandboxEscaper has previous for using the Windows Task Scheduler tool for nefarious purposes and this latest zero-day is no exception. It uses it to import and run a malformed task file that exploits a vulnerability in the way that Task Scheduler handles discretionary access control list (DACL) rights for such files without DACL permissions; giving full control to any user rather than just the system admin. Will Dormann, a vulnerability analyst at CERT/CC, explained in a tweet that the exploit “works as-is on a fully patched Windows 10 x86 system… quickly, and 100% of the time in my testing.” It also works, according to Dormann, on a 64-bit Windows 10 computer if “you are not afraid to compile your own code.”

What was the motivation?

As mentioned, SandboxEscaper has a reputation for releasing exploit code without any prior disclosure to Microsoft. Reporting on one of these last year, Forbes contributor Marco Chiappetta suggested that “depression may have been a factor in SandboxEscaper’s decision to post the exploit” and quoted her as saying “I screwed up, not MSFT (they are actually a cool company). Depression sucks.”

However, in her latest blog postings announcing the new exploit, SandboxEscaper writes “I don’t owe society a single thing. Just want to get rich and give you f*cktards in the west the middle finger. I’m donating all my work to enemies of the U.S.” Make of that what you will. The timing is also interesting as it comes straight after the monthly Microsoft update cycle which means it leaves the window of exploit opportunity open until June 11 when the next cycle is scheduled.

 

Is there worse to come?

It appears that this isn’t going to be the last we hear from SandboxEscaper either. In that same series of blog posts, she says that she has four more unpatched zero-days. “If any non-western people want to buy LPEs,” she writes, “Won’t sell for less than 60k.” Ian Thornton-Trump, head of security at AmTrust International, told me during a conversation this morning that as far as the economics of selling exploits are concerned it’s “kind of a sh*thead move.”

You can understand why as Microsoft is known for having a pretty generous bug bounty program which enables researchers to cash in on their findings without taking the criminal route to riches. “It’s sad that folks burn the opportunity to contribute to the information security community,” Thornton-Trump said.

What can you do to mitigate the risk?

Given that it is unlikely, based on responses to the previous exploits released by SandboxEscaper, that we will see any patch to fix this zero-day until the next Patch Tuesday on June 11, what can you do to mitigate the risk? “I will tell you that anything that interacts with the task scheduler is going to be pretty unsubtle and fairly easy to detect,” Thornton-Trump advises, “probably even by Windows Defender.”

“Of course, that doesn’t mean it will be an impotent threat and zero-day attacks must always be considered a very real and present danger to data. That said, Thornton-Trump isn’t panicking over this as most enterprise endpoints have many compensating security controls deployed and those should provide adequate protection.” Home users are advised to ensure their security software is up to date and take care to prevent attackers from gaining access to their systems in the first place…

As it was published in Forbes Magazine

Article from FORBES Davey Winder @happygeek

https://www.forbes.com/sites/daveywinder/2019/05/22/new-windows-10-threat-can-read-all-your-files-no-microsoft-patch-expected-before-june-11/

News :

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *


Related Posts

Dr Erdal Ozkaya Halt hackers

Halt hackers: Do those tricks still work with Windows 10 ? – Free Video

Halt hackers Over the past years, attacks have become more sophisticated and what was once the safest operating system on the... read more
Cybersecurity Bootcamp Erdal Ozkaya

Intelligent security is key to fight sophisticated threats

Intelligent security is key to fight sophisticated threats By : Adelle Geronim tahawultech.com/ Intelligent security is increasingly becoming vital as GCC CISOs... read more
SEC

CISOs Into Americas Boardrooms – 2022

CISOs Into Americas Boardrooms The SEC Is About To Force CISOs Into America’s Boardrooms What changes will boardroom cyber expertise bring about... read more
Free Event

Cyber Threats and Breach Protection – Free Webinars 2022

Cyber Threats and Breach Protection Cybersecurity Ventures expects global cybercrime to reach $10.5 by 2025 - up from $3 trillion in... read more
SolarWinds Onion in Shodan

SolarWinds Onion in Shodan – Be aware

SolarWinds Onion in Shodan As of yesterday there is 1688 open @solarwinds Orion systems . You can easily find them on... read more
Malware

DNSChanger Malware

DNSChanger Malware Are your PC’s still infected with the trojan, which effected many of the Fortune 500 companies? Are you still not... read more

Virus Bulletin : Lazarus Group a mahjong game played with different sets 0f tiles

Lazarus Group a mahjong game played with different sets of tiles Please go ahead and click the link below to read... read more
How to do 3th part risk management

7 steps to protect against Vulnerable Third-party Service Providers 

7  Steps to protect against Vulnerable Third-party Service Providers : There is no shortage of headlines when it comes to third-party... read more
Cybersecurity Strategy for Cyber- Defenders by Erdal Ozkaya

Cybersecurity Strategy for Cyber Defenders – Free VIDE0

Cybersecurity Strategy for Cyber Defenders Hear Microsoft Cybersecurity Architect Dr Erdal Ozkaya discuss current threats and what to do with them.... read more
enterprise it world mea

UAE Banks Enhances Cyber Security Posture by Emphasizing on User Education

UAE Banks Enhances Cyber Security Posture by Emphasizing on User Education “It’s really important to educate the employees and communicate about... read more

Categories

  • About Dr Erdal Ozkaya (300)
    • Awards (97)
    • Erdal in the news (121)
    • Feedback (88)
    • My Books (53)
    • Who is Dr Erdal Ozkaya ? (2)
  • Announcemets (305)
  • Artificial Intelligence AI (11)
  • Certification (52)
  • Cloud Computing (73)
  • Cybersecurity (325)
  • Cybersecurity Leadership (58)
  • Digital Transformation (2)
  • Financial Sector (31)
  • Forensics (17)
  • Free Events (166)
  • General (138)
  • How to …? (61)
  • ISO 2700x (12)
  • News (38)
  • Reviews (77)
    • Book Reviews (32)
    • Free E-Books (14)
    • Hardware Review (9)
    • Security Review / Reports (10)
    • Software Review (8)
  • Siber Güvenlik (17)
  • Video Tutorials (101)
  • What is new? (27)
  • Windows (30)

Recent Comments

  • Sabri Kızmaz on Finans Sektörü Odaklı Siber Tatbikat
  • celal bayar on Finans Sektörü Odaklı Siber Tatbikat
  • Erdal on Free EDR Certification Training
  • SANDEEP SHRIVASTAV on Free EDR Certification Training
  • Alicia Harlow on Core isolation Memory Integrity not available – (Get it fixed)

Archives

Dr. Erdal Ozkaya © Copyright 2023. All Rights Reserved.