Kevin Beaumont (@GossiTheDog) just published an excellent overview of the newly touted ALPC zero-day in Task Scheduler. Complete with working exploit
[See the full post at: Details on the Task Scheduler ALPC zero-day]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Details on the Task Scheduler ALPC zero-day
Home » Forums » Newsletter and Homepage topics » Details on the Task Scheduler ALPC zero-day
- This topic has 18 replies, 11 voices, and was last updated 5 years ago.
AuthorTopicViewing 10 reply threadsAuthorReplies-
dportenlanger
AskWoody Lounger -
JCCWsusser
AskWoody Lounger -
OscarCP
MemberAccording to Woody’s in the Home Page: ” Nothing to worry about yet, but expect to see a fix for all versions of Windows before too long. ”
Looking into this, I find the following at Born’s:
” Will Dormann, a vulnerability analyst at the CERT/CC, tested the exploit and confirmed that it “works well in a fully-patched 64-bit Windows 10 system.”
About the vulnerability
He also prepared a vulnerability note detailing the flaw: a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface used by the Microsoft Windows task scheduler, the exploitation of which can allow a local user to obtain SYSTEM privileges on the target computer.“The CERT/CC is currently unaware of a practical solution to this problem,” he wrote, and later remarked on Twitter that he’s currently unaware of any workarounds.
UK-based security architect Kevin Beaumont also confirmed the exploit works.
The vulnerability has yet to receive a CVE number but has bee awarded a CVSS score that puts it in the “medium” risk category.
According to The Register, a Microsoft spokesperson acknowledged the existence of the vulnerability and said the company will “proactively update impacted advices as soon as possible”. ” (Emphasis is mine.)
“Advices”? Typo, or impenetrably opaque jargon?
So, does this bit of malware threaten users of all versions of Windows, those still supported in particular? Please, perhaps someone could confirm this? Thanks.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV4 users thanked author for this post.
-
gborn
AskWoody_MVPCurrently I’m a bit confused. I tried to execute the commands, the PoC author has shown within his video shipped with the PoC archive. Using a standard user account in 64 bit Win 7, I wasn’t able to grant SYSTEM privileges to a process like Notepad. Maybe it’s my fault and I made an error or overlooked something.
The fact, that Microsoft didn’t release an emergency patch and addresses the next patchday is probably an indication, that the 0-day exploit isn’t that critical. But that’s my personal opinion. We will wait and see.
Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author
https://www.borncity.com/win/
4 users thanked author for this post.
-
Noel Carboni
AskWoody_MVPI’m imagining the mitigations for this could cause things that have always worked to stop working.
It has always been common practice to start things that need privilege via the Task Scheduler when a user logs in. I have, for example a program called WizMouse that starts when I log in and intercepts mouse wheel events and sends them to whatever application the mouse is over (and it actually works better than the Windows facility to do the same).
I smell a potential loss of functionality in the name of security here. I definitely need to learn more detail about this one.
As far as being vulnerable to this… Just be careful what you run – as always. This isn’t something where someone on the other side of the world can magically reach into your computer and make things go wrong. NEVER assume that you can just blithely run software (e.g., malware) on your computer and somehow it will protect itself. That’s always been a pipe dream and it always will be.
-Noel
1 user thanked author for this post.
-
AlexEiffel
AskWoody_MVP
anonymous
Guestsantino
AskWoody LoungerGoneToPlaid
AskWoody Loungeranonymous
GuestKudos (I mean — give points) to both santino and GoneToPlaid.
If an important part of the demonstratable attack code involves the XPS driver, and if I don’t use the XPS driver at all, would I be better off simply removing the XPS driver (and anything else XPS-related which I can find)?
HMcF
Win7 Pro SP1 64-bit, Group B until Dec 2018, later Group W. In process of switching to Linux Mint.
1 user thanked author for this post.
GoneToPlaid
AskWoody LoungerI just uninstalled XPS Services and XPS Viewer from my Win7 computer, with no ill effects, even though there was a popup which warned that some services possibly would stop working or that some default settings would be changed. When you install Win7 the default printer is the XPS printer. I don’t think that I ever used XPS even once during many years. I didn’t even have to reboot after uninstalling these two Windows components.
-
anonymous
Guest
AlexEiffel
AskWoody_MVP“The recently discovered Windows zero-day – which still doesn’t have a patch – has been used in the wild for the last week, with an active info-stealing campaign emerging just two days after its disclosure on Twitter.”
https://threatpost.com/active-spy-campaign-exploits-unpatched-windows-zero-day/137237/
-
b
ManagerFrom the bottom line of that article; CERT/CC has added a temporary workaround sometime within the last week:
Set ACLs on the C:\Windows\Tasks directory
Karsten Nilsen has provided a mitigation for this vulnerability. Caution: This mitigation has not been approved by Microsoft. However, in our testing it does block exploits for this vulnerability. It also appears to let scheduled tasks to continue to run, and users can continue to create new scheduled tasks as necessary. However, this change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.To apply this mitigation, run the following commands in an elevated-privilege prompt,:
icacls c:\windows\tasks /remove:g “Authenticated Users”
icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:
icacls c:\windows\tasks /remove:d system
icacls c:\windows\tasks /grant:r “Authenticated Users”:(RX,WD)
(It seemed like a worthwhile protection to me, so I’ve done this on my computers.)
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
2 users thanked author for this post.
-
anonymous
GuestAt this point this is a threat to all supported Windows versions (7, 8, 8.1 and various 10’s), so my guess would be those still on xp can breath easy for a change…
I d not understand why placing a Notepad dll in the System works as the starting point of a multi phase attack, and perhaps someone could explain that here. But more importantly: is my assumption that, at least for now, being careful as usual when receiving email from a supposedly trusted source with an incongruent ‘subject’ header and leaving it unopened and trashing it instead will make this much less of a threat?
The article also mentions that fake updates to “Google applications” as a point of entry. Does this include the browser Chrome, that updates itself automatically? Thanks.
1 user thanked author for this post.
-
b
ManagerNotepad was the end of the proof of concept, not the start; it was just used as a sample executable to be launched with system privileges due to the flaw.
GoogleUpdate.exe is the program run by task scheduler to automatically update the Chrome browser and other applications, but it is not an entry point for this exploit so there are no fake updates.
The current attack replaces that program with a malicious version which will then run automatically. It does appear to start with an “unpaid invoice” email attachment so far.
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
2 users thanked author for this post.
-
b
Manager
-
b
ManagerPatched today for all current versions of Windows:
CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
4 users thanked author for this post.
Viewing 10 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Strange problem after upgrade from Win10Pro 22H2 to Win11Pro 22H2
by
JohnH
57 minutes ago -
Return Full Context Menus to File Explorer
by
RetiredGeek
2 hours, 38 minutes ago -
Unusual Activity on Startup
by
Kenneth Stephens
6 hours, 29 minutes ago -
Windows Backup – incremental possible?
by
colin_thames
4 hours, 41 minutes ago -
New HD addition??
by
weendoggy
10 hours, 24 minutes ago -
Defcon 4 and Windows 11
by
cmar6
11 hours, 29 minutes ago -
Add-ins keep disappearing
by
hession
8 hours, 53 minutes ago -
MS-DEFCON 4: Is Windows 11 really a disaster?
by
Susan Bradley
36 minutes ago -
The Takahē is not extinct afterall
by
lylejk
20 hours, 18 minutes ago -
How to unbloc W10pro from moving to W11
by
hession
1 day, 10 hours ago -
Windows 11, Surface, and Windows Copilot
by
Will Fastie
13 hours, 16 minutes ago -
Why File Explorer keeps me on Windows
by
Josh Hendrickson
5 hours, 32 minutes ago -
Uninstalr — “World’s best cup of coffee”
by
Deanna McElveen
2 hours, 30 minutes ago -
Locked out of your refurbished computer?
by
Susan Bradley
2 hours, 14 minutes ago -
Thunderbird 115: Changing font size in the Message Panel
by
WCHS
1 day, 8 hours ago -
Lenovo ThinkPad not updating to Windows 11 22H2
by
Gordski
30 minutes ago -
Android Security
by
Magic66
1 day, 10 hours ago -
What happened to the manual?
by
Susan Bradley
1 day, 1 hour ago -
OK to Restore Files From a Possibly Hacked Computer?
by
kc27
2 days ago -
Startup loop after adding new user and installing File Explore Patch
by
PFC
3 days, 1 hour ago -
RoboCops comes to NYPD. You have the right to remain cyborg
by
Alex5723
3 days, 7 hours ago -
iOS 17 : New Safari Privat Search Engines
by
Alex5723
3 days, 8 hours ago -
Photos App running in background
by
Tom
2 days, 4 hours ago -
IPV6 Issue Win10 22H2 August Update
by
Win7and10
3 days, 6 hours ago -
Windows 11 Insider Preview build 23550 released to DEV
by
joep517
4 days, 6 hours ago -
Windows 11 Build 22621.2361 (22H2) released to Release Preview
by
joep517
4 days, 6 hours ago -
Lately I’ve been getting qr code spam attacks
by
Susan Bradley
4 days, 10 hours ago -
ghacks Wants Edge – FF Browser Update to View – hack/redirect
by
CraigS26
3 days, 7 hours ago -
iOS 17 : If your new iPhone gets stuck on the Apple logo when you transfer…
by
Alex5723
4 days, 18 hours ago -
Apple zero days out – September 2023
by
Susan Bradley
5 hours, 58 minutes ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.