Kevin Beaumont (@GossiTheDog) just published an excellent overview of the newly touted ALPC zero-day in Task Scheduler. Complete with working exploit
[See the full post at: Details on the Task Scheduler ALPC zero-day]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Details on the Task Scheduler ALPC zero-day
Home » Forums » Newsletter and Homepage topics » Details on the Task Scheduler ALPC zero-day
- This topic has 18 replies, 11 voices, and was last updated 4 years, 6 months ago.
AuthorTopicViewing 10 reply threadsAuthorReplies-
dportenlanger
AskWoody Lounger -
JCCWsusser
AskWoody Lounger -
OscarCP
MemberAccording to Woody’s in the Home Page: ” Nothing to worry about yet, but expect to see a fix for all versions of Windows before too long. ”
Looking into this, I find the following at Born’s:
” Will Dormann, a vulnerability analyst at the CERT/CC, tested the exploit and confirmed that it “works well in a fully-patched 64-bit Windows 10 system.”
About the vulnerability
He also prepared a vulnerability note detailing the flaw: a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface used by the Microsoft Windows task scheduler, the exploitation of which can allow a local user to obtain SYSTEM privileges on the target computer.“The CERT/CC is currently unaware of a practical solution to this problem,” he wrote, and later remarked on Twitter that he’s currently unaware of any workarounds.
UK-based security architect Kevin Beaumont also confirmed the exploit works.
The vulnerability has yet to receive a CVE number but has bee awarded a CVSS score that puts it in the “medium” risk category.
According to The Register, a Microsoft spokesperson acknowledged the existence of the vulnerability and said the company will “proactively update impacted advices as soon as possible”. ” (Emphasis is mine.)
“Advices”? Typo, or impenetrably opaque jargon?
So, does this bit of malware threaten users of all versions of Windows, those still supported in particular? Please, perhaps someone could confirm this? Thanks.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV4 users thanked author for this post.
-
gborn
AskWoody_MVPCurrently I’m a bit confused. I tried to execute the commands, the PoC author has shown within his video shipped with the PoC archive. Using a standard user account in 64 bit Win 7, I wasn’t able to grant SYSTEM privileges to a process like Notepad. Maybe it’s my fault and I made an error or overlooked something.
The fact, that Microsoft didn’t release an emergency patch and addresses the next patchday is probably an indication, that the 0-day exploit isn’t that critical. But that’s my personal opinion. We will wait and see.
Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author
https://www.borncity.com/win/
4 users thanked author for this post.
-
Noel Carboni
AskWoody_MVPI’m imagining the mitigations for this could cause things that have always worked to stop working.
It has always been common practice to start things that need privilege via the Task Scheduler when a user logs in. I have, for example a program called WizMouse that starts when I log in and intercepts mouse wheel events and sends them to whatever application the mouse is over (and it actually works better than the Windows facility to do the same).
I smell a potential loss of functionality in the name of security here. I definitely need to learn more detail about this one.
As far as being vulnerable to this… Just be careful what you run – as always. This isn’t something where someone on the other side of the world can magically reach into your computer and make things go wrong. NEVER assume that you can just blithely run software (e.g., malware) on your computer and somehow it will protect itself. That’s always been a pipe dream and it always will be.
-Noel
1 user thanked author for this post.
-
AlexEiffel
AskWoody_MVP
anonymous
Guestsantino
AskWoody LoungerGoneToPlaid
AskWoody Loungeranonymous
GuestKudos (I mean — give points) to both santino and GoneToPlaid.
If an important part of the demonstratable attack code involves the XPS driver, and if I don’t use the XPS driver at all, would I be better off simply removing the XPS driver (and anything else XPS-related which I can find)?
HMcF
Win7 Pro SP1 64-bit, Group B until Dec 2018, later Group W. In process of switching to Linux Mint.
1 user thanked author for this post.
GoneToPlaid
AskWoody LoungerI just uninstalled XPS Services and XPS Viewer from my Win7 computer, with no ill effects, even though there was a popup which warned that some services possibly would stop working or that some default settings would be changed. When you install Win7 the default printer is the XPS printer. I don’t think that I ever used XPS even once during many years. I didn’t even have to reboot after uninstalling these two Windows components.
-
anonymous
Guest
AlexEiffel
AskWoody_MVP“The recently discovered Windows zero-day – which still doesn’t have a patch – has been used in the wild for the last week, with an active info-stealing campaign emerging just two days after its disclosure on Twitter.”
https://threatpost.com/active-spy-campaign-exploits-unpatched-windows-zero-day/137237/
-
b
ManagerFrom the bottom line of that article; CERT/CC has added a temporary workaround sometime within the last week:
Set ACLs on the C:\Windows\Tasks directory
Karsten Nilsen has provided a mitigation for this vulnerability. Caution: This mitigation has not been approved by Microsoft. However, in our testing it does block exploits for this vulnerability. It also appears to let scheduled tasks to continue to run, and users can continue to create new scheduled tasks as necessary. However, this change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.To apply this mitigation, run the following commands in an elevated-privilege prompt,:
icacls c:\windows\tasks /remove:g “Authenticated Users”
icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:
icacls c:\windows\tasks /remove:d system
icacls c:\windows\tasks /grant:r “Authenticated Users”:(RX,WD)
(It seemed like a worthwhile protection to me, so I’ve done this on my computers.)
Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge
2 users thanked author for this post.
-
anonymous
GuestAt this point this is a threat to all supported Windows versions (7, 8, 8.1 and various 10’s), so my guess would be those still on xp can breath easy for a change…
I d not understand why placing a Notepad dll in the System works as the starting point of a multi phase attack, and perhaps someone could explain that here. But more importantly: is my assumption that, at least for now, being careful as usual when receiving email from a supposedly trusted source with an incongruent ‘subject’ header and leaving it unopened and trashing it instead will make this much less of a threat?
The article also mentions that fake updates to “Google applications” as a point of entry. Does this include the browser Chrome, that updates itself automatically? Thanks.
1 user thanked author for this post.
-
b
ManagerNotepad was the end of the proof of concept, not the start; it was just used as a sample executable to be launched with system privileges due to the flaw.
GoogleUpdate.exe is the program run by task scheduler to automatically update the Chrome browser and other applications, but it is not an entry point for this exploit so there are no fake updates.
The current attack replaces that program with a malicious version which will then run automatically. It does appear to start with an “unpaid invoice” email attachment so far.
Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge
2 users thanked author for this post.
-
b
Manager
-
b
ManagerPatched today for all current versions of Windows:
CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability
Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge
4 users thanked author for this post.
Viewing 10 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
KB5023702 for Server 2019 – Defer as of MPL March 27
by
Aviel
36 minutes ago -
eSIM out, iSIM in ?
by
Alex5723
6 hours, 11 minutes ago -
MS-DEFCON 4: Win11 22H2 not ready for prime time
by
Susan Bradley
10 minutes ago -
Microsoft Edge Remover
by
Alex5723
2 hours, 5 minutes ago -
Windows Desktop refreshes repeatedly every few seconds
by
JimT777
8 hours, 55 minutes ago -
Apple zero days fixed today
by
Susan Bradley
3 hours, 39 minutes ago -
W10 22H2 Desktop rogue icon won’t allow me to rename, delete, or replace it
by
lanshark
11 hours, 13 minutes ago -
Footnote separators not deleting
by
Ursula
16 hours, 52 minutes ago -
Should I Go Beyond Version 21H2
by
kstephens43
1 hour, 54 minutes ago -
MacStealer: New macOS-based Stealer Malware Identified
by
Alex5723
15 hours, 53 minutes ago -
PowerShell – Testers Needed
by
RetiredGeek
10 hours, 19 minutes ago -
Audio from www.whenradiowas.com stops playing after 7-20 minutes
by
David Pressman
25 minutes ago -
KB4023057: Update for Windows Update Service components
by
RetiredGeek
19 hours, 25 minutes ago -
win 12 as BORG?
by
krism
16 hours, 37 minutes ago -
Windows 11 — should I stay on Windows 10?
by
DDR
17 hours, 51 minutes ago -
Did I really install PaintShop Pro?
by
Mike Ray
16 hours, 20 minutes ago -
You’re fired if you don’t know how to use GPT-4
by
B. Livingston
8 hours, 18 minutes ago -
Microsoft 365 Copilot announced
by
Will Fastie
2 hours, 20 minutes ago -
What’s wrong with OneNote — and what you can fix
by
Mary Branscombe
17 hours, 13 minutes ago -
Temp_Cleaner GUI — Just what I was looking for
by
Deanna McElveen
2 hours, 55 minutes ago -
Who controls our tech?
by
Susan Bradley
8 hours, 58 minutes ago -
Missing drives
by
ibe98765
1 day, 7 hours ago -
Can I boot into Win7 from Win10 laptop
by
Brian Snelling
11 hours, 12 minutes ago -
How to Force HP Pavilion Laptop to Boot from USB Stick
by
kstephens43
17 hours, 10 minutes ago -
The Internet Archive lost in court vs publishers
by
Alex5723
2 days ago -
why is free space shrinking
by
compiler
1 day, 14 hours ago -
Celebrating Spring
by
Susan Bradley
20 hours, 57 minutes ago -
TicTock is child’s play compared to Flowtime devices (From TheGuardian.Com)
by
CAS
48 minutes ago -
iOS/iPadOS 16.4 : Dim Epilepsy-Inducing Flashing Lights In Videos
by
Alex5723
2 days, 22 hours ago -
windows networking issues
by
jwhiz56
1 day, 21 hours ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.