Skip to main content

Hackers Swoop In on Windows 10 Security Flaw Exposed on Twitter

(Image credit: Anton Watman/Shutterstock)

Last week, a security researcher disclosed a zero-day Windows vulnerability on Twitter along with a Proof of Concept (PoC). Not surprisingly, malicious actors swooped in days later to use the bug for their benefit. 

Exploiting Windows’ Task Scheduler

The Twitter user SandboxEscaper revealed a bug in the Advanced Local Procedure Call (ALPC) interface of the Windows 7 and Windows 10 Task Schedulers that could allow an attacker to gain administrative rights even if the malicious executable would be launched by a limited Windows user account.

SandboxEscaper released the PoC source code at the same time as disclosing the bug, which meant anyone could modify and repurpose that code for a wide-scale attack against Windows machines that can evade security protections, including antivirus scans.

How PowerPool Infects Victims' PCs

A group called PowerPool modified that original PoC source code, recompiled it and then used it to replace Google Chrome’s auto-updater executable with its own malicious file in order to gain SYSTEM privileges on victims’ machines. The malware can perform actions such as executing commands, killing processes and uploading and downloading files, as well as listing folders.

The initial stage of the infection, which is kickstarted via a malicious attachment sent in an email to the victim, also allows the PowerTool group to perform some basic data collection, including taking screenshots of the victims’ PCs.

Still Awaiting Patches

Microsoft was seemingly caught off-guard by SandboxEscaper’s initial disclosure of the bug and has said that will release a patch on the next “Update Tuesday” on September 11.

CERT/CC has published some potential mitigations for this attack, but Microsoft has not officially approved them.

  • hotaru251
    so...since they used chromes auto-update...does this have no effect if u dont have it even on your pc?
    Reply
  • kenjitamura
    21299312 said:
    so...since they used chromes auto-update...does this have no effect if u dont have it even on your pc?

    It's highly unlikely this is the only group to abuse this exploit and it sounds like it could just as easily be applied to nearly any other piece of software.

    Reply
  • 1_rick
    "The initial stage of the infection, which is kickstarted via a malicious attachment sent in an email to the victim"

    Uh-huh.
    Reply
  • pjkrojcer
    Yeah straight up, from what I gather, you need to infect your PC first via clicking on the attachment. So, uhh, don't open attachments from people you don't know?
    Reply
  • Albert_15
    * gets an email saying "see attached file for instructions on how to mitigate this attack"
    Reply
  • Larmo-Ct
    I get the impression from this article. That SandboxEscaper was a jerk, by releasing this info before informing Microsoft of this/these exploits, and telling the world about it. But the most important question I have is. Does the Microsoft Sept. 11 patch, address all of the hacks mentioned in the article?? Thanks in advance for any responses. ????
    Reply