Zero-day vulnerabilities are potential security weak points found in programs after they’ve been released. Obviously, the program developers are unaware of the vulnerabilities, so it is often third parties who discover them and then share their findings so that they can be closed up by the developers in question. We’ve reported a couple of times on Google’s dedicated zero-day hunting team and the bugs they’ve found .
A new zero-day vulnerability has been discovered in Windows 10 that could lead to a malicious attack
According to a report by ZDNet , the new vulnerability was discovered by security researcher SandboxEscaper. The vulnerability relates to Windows Task Scheduler but is unable to take control of a victim’s computer alone. However, if it is used in conjunction with other nefarious methods it could prove very harmful to the victim’s online security. When done so, the vulnerability allows the hacker to run a specific .job file within Task Scheduler to grant admin privileges.
SandboxEscaper published the details and code of the vulnerability to GitHub , without notifying Microsoft. This means there is still no official word on when a patch for the exploit will be available. As to whether it is responsible behavior to publish a vulnerability, including code and demonstration video, online without first notifying the developers that could close it off is for you to decide. Hackers now know of this vulnerability and we now have to wait for Microsoft to patch it.
Researcher also released a demo video of the LPE zero-day in action. See below: pic.twitter.com/ZX8XWLQ74z
— Catalin Cimpanu (@campuscodi) May 22, 2019
This isn’t the first time SandboxEscaper has acted in this way either. According to the same ZDNet report, she released four other Windows zero-day vulnerabilities in the same manner last year. Three of these were patched by Microsoft without any problems but one of them was used in active malware campaigns for weeks after its release.
It took Microsoft between one or two months to patch the four vulnerabilities SandboxEscaper published in 2018 which means there will be a lot of pressure at Microsoft HQ, if the software giant wants to fix this latest vulnerability in time for its next scheduled patch on Tuesday, June 11. Microsoft has two weeks if it wants to hit that deadline.
Read more
New scam spotted on the Google Play Store ►
Security alert: new Netflix phishing scams ►
This ingenious phishing scam is targeting iPhone users ►
New year, new scams: what to watch out for in 2019 ►
So, who exactly is vulnerable to this potential exploit? It has only been confirmed so far on Windows 10 32-bit systems but it is believed, however, that, in theory at least, it could be adapted to work on all Windows systems all the way back to Windows XP and Server 2003.
When a hacker gains administrative privileges over a system it gives them complete access to everything on it. This potential vulnerability should be taken seriously, but all we can do for now is hope that Microsoft gets a patch out before hackers start trying to exploit it.
More about Windows 10
How to start Windows 10 in safe mode ►
How to turn on Bluetooth in Windows 10 ►
Windows 10 has a new free Microsoft Office app ►
Microsoft’s latest trick to get you to upgrade to Windows 10 ►