The former security researchers also posted a link to a proof-of-concept on Github, in case anyone thought the vulnerability was not real. It is, and Microsoft is working on a fix.
Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.
— SandboxEscaper (@SandboxEscaper) August 27, 2018
"I'm a retired Vulnerability Researcher.
I make a living writing travel blogs now," the researcher's About Me page on SandboxEscaper.com states.
The incident essentially boils down to a big middle finger aimed squarely at Microsoft, with Windows users potentially getting caught in the crossfire—this is not the proper way to reveal a zero-day bug. It caught the attention of Will Dormann, an analyst at CERT/CC, who verified the vulnerability.
Dormann confirmed that the exploit works in a fully patched system running Windows 10 64-bit, and with "minor tweaks," it also affects the 32-bit version of Windows 10. The zero-day bug is related to the task scheduler.
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible," Microsoft said in a statement. "Our standard policy is to provide solutions via our current Update Tuesday schedule."
In other words, Microsoft is aware of the issue, but doesn't deem the security threat high enough to warrant and out-of-band security patch. It will be addressed with the next Patch Tuesday update.
').insertAfter(jQuery('#initdisqus'));
}
loadDisqus(jQuery('#initdisqus'), disqus_identifier, url);
}
else {
setTimeout(function () { disqusDefer(); }, 50);
}
}
disqusDefer();
function loadDisqus(source, identifier, url) {
if (jQuery("#disqus_thread").length) {
jQuery("#disqus_thread").remove();
}
jQuery('
').insertAfter(source);
if (window.DISQUS) {
DISQUS.reset({
reload: true,
config: function () {
this.page.identifier = identifier;
this.page.url = url;
}
});
} else {
//insert a wrapper in HTML after the relevant "show comments" link
disqus_identifier = identifier; //set the identifier argument
disqus_url = url; //set the permalink argument
//append the Disqus embed script to HTML
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = 'https://' + disqus_shortname + '.disqus.com/embed.js';
jQuery('head').append(dsq);
}
jQuery('.show-disqus').show();
source.hide();
};
function disqusEvent()
{
idleTime = 0;
}
