• Details on the Task Scheduler ALPC zero-day

    Kevin Beaumont (@GossiTheDog) just published an excellent overview of the newly touted ALPC zero-day in Task Scheduler. Complete with working exploit code.

    The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions. So anybody — even a guest — can call it and set file permissions on anything locally.

    It’s a privilege escalation bug, allowing an offending program to leapfrog itself from running in user mode to take over the machine.

    Catalin Cimpanu on Bleeping Computer posted the initial revelation from @SandboxEscaper, who posted original exploit code on GitHub, then deleted their Twitter account.

    Nothing to worry about yet, but expect to see a fix for all versions of Windows before too long.