Apply patch ASAP for Windows vulnerability / safecomputing.umich.edu

Tue, 09/11/2018 - 12:00

This message was sent to U-M IT staff groups via email on September 11, 2018. It is intended for U-M IT staff who are responsible for university machines running Windows.

Summary

Microsoft has released a patch for a zero-day vulnerability in Microsoft Windows task scheduler. Please apply the patch as soon as possible, after appropriate testing.

Problem

There is a local privilege escalation security vulnerability in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems.This could allow a local user to obtain system privileges. An attacker would need to have a way to execute commands on the machine as a local user to take advantage of this vulnerability.

Threats

This vulnerability is being exploited in the wild.

Affected Versions

CERT has verified that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. They confirmed compatibility with 32-bit Windows 10 with minor modifications to the public exploit code, and it has been backported to Windows 7, 2008, 2012 and on 32 bit CPUs.

Action Items

Apply updates provided by Microsoft to vulnerable systems immediately after appropriate testing. See Microsoft's links to updates at Security Update Guide (Microsoft Security TechCenter).

Technical Details

Microsoft Windows task scheduler contains a vulnerability which can allow a local user to gain SYSTEM privileges, because the Advanced Local Procedure Call (ALPC) function does not properly check permissions on files stored in the Windows Task Scheduler folder. A local user can create a hard link in the Windows Task Scheduler folder, to leverage ALPC’s ability to change access controls on an arbitrary local file.

How We Protect U-M

Information Assurance is working with Windows administrators in Information and Technology Services (ITS) and Health Information and Technology Services (HITS) to ensure plans are in place to test and apply the patch as soon possible. In addition, we are monitoring news about the vulnerability and will share updates should the situation change.

Information for Users

MiWorkspace machines running Windows will be updated as soon as possible. If you use Microsoft Windows on your own devices, you should set it for automatic updates so that patches like this one are installed automatically when they are released.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact [email protected].

References

September Patch Tuesday forecast: Evaluate third-party updates alongside Microsoft release (HelpNetSecurity 9/10/18)
Task Scheduler ALPC exploit high level analysis (Medium, 9/5/18)
Windows zero-day vulnerability revealed (TechSpot, 8/29/18)
Microsoft Windows zero-day vulnerability disclosed through Twitter (TechRepublic, 8/28/18)
Microsoft Windows zero-day vulnerability disclosed through Twitter (ZDNet, 8/28/18)
Vulnerability Note VU#906424. Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface (CERT Vulnerability Notes Database, 8/27/18)
Hacker Discloses Unpatched Windows Zero-Day Vulnerability (With PoC) (The Hacker News, 8/27/18)