back to article Windows 0-day pops up out of nowhere Twitter

It's not a vulnerability bad enough to force Microsoft to release an out-of-cycle patch – however, CERT/CC has just put out an alert over a newly disclosed privilege escalation bug in Windows. According to the tweet that set the hounds running, it's a zero-day with a proof-of-concept over on GitHub: Here is the alpc bug as …

  1. chuckufarley Silver badge

    This reminds me of...

    ...the times I can't remember. I can't remember them because in the late 1990's through early 2000's after a client's system was hosed by LPE and we have reimaged and restored backups for the ten thousandth system that month we would celebrate the milestone by turning off our pagers and phone then going to the nearest place serving high test jet fuel and calling it "Happy Hour." I can't be sure what happened after that except to say that I usually made it home some how.

    It's a bit cliche to say "The more things change..." but I do wish some things wouldn't stay the same.

  2. Mayday
    Alert

    Gone

    https://twitter.com/SandboxEscaper/

    That didnt take long. Sure to be elsewhere of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: Gone

      The GitHub and vulnerability note links work fine here.

      1. Anonymous Coward
        Anonymous Coward

        Re: Gone

        Nice to pack it in a format that could trigger vulnerabilities like CVE-2018-10115

  3. Destroy All Monsters Silver badge
    Pint

    Burning_this_is_fine_dog.jpg

    LOL

    (And who is SandboxEscaper and is he linked to Putin and/or Assad and/or Corbyn?)

    1. DCFusor

      Re: Burning_this_is_fine_dog.jpg

      No, it's China, in the bathroom, with Dept o State email server forwarding, get with the times!

      1. MyffyW Silver badge

        Who is SandboxEscaper?

        I'm pretty certain SandboxEscaper is not Satoshi Nakamoto.

      2. Someone Else Silver badge
        Coat

        Re: Burning_this_is_fine_dog.jpg

        No, it's China, in the bathroom, with Dept o State email server forwarding [...]

        Sounds like you just won Clue, the Millennial's Edition!

  4. Sorry that handle is already taken. Silver badge

    This guy's angry about something

    1. big_D Silver badge

      For me, that is the bigger story, who is this guy? What is his beef with reporting through channels? Why did he just throw it out on Twitter and not report responsibly?

      1. Anonymous Coward
        Anonymous Coward

        > For me, that is the bigger story, who is this guy? What is his beef with reporting through channels? Why did he just throw it out on Twitter and not report responsibly?

        Sounds like previous bad experience.

      2. JohnFen

        "What is his beef with reporting through channels?"

        I don't know about him in particular, but bepending on the company, reporting through channels can be a very frustrating and risky experience. He isn't the only one to give up on it entirely.

        1. Anonymous Coward
          Anonymous Coward

          I saw Notgear respond to a security vulnerability report, by asking the finder of the vulnerability to post it in their public web forums to get help...

      3. Michael Wojcik Silver badge

        Why did he just throw it out on Twitter and not report responsibly?

        While responsible disclosure is certainly more common than it was, say, a decade ago (and much more common than when Rain Forest Puppy published the original RFPolicy back in, oh, 2000?), it's hardly unknown for people to just throw vulnerabilities out on Twitter or other media. This one just attracted some extra attention because it came with a PoC and is fairly serious.

        But subscribe to VULN-DEV, for example, and you'll see plenty of potential 0-days flowing by as people discuss whether there's something exploitable in a failure they've run across.

        Responsible disclosure has costs, even if they're mostly cognitive load and opportunity costs; that's one reason why many companies have bug bounties. And working with PSIRTs and other disclosure-handlers can be irritating. I'm on a PSIRT myself, and we put a lot of effort into being polite and receptive. But not everyone does. I've dealt with some PSIRT types who are abrasive and dismissive.

    2. Fibbles

      Her Twitter claims she has depression and was having some sort of episode.

  5. Anonymous Coward
    Anonymous Coward

    I think SandboxEscaper could do with a nice cup of tea.

    1. MyffyW Silver badge

      And maybe a hug (once he's had a shower)

  6. NotTrue

    Seems like a total mischief maker to me, chuck the code out "in anger" knowing it has a good potential to cause a lot of trouble if used quickly amongst the ever wise user base who don't update their machines at patch release..

    1. Anonymous Coward
      Anonymous Coward

      Or a security researcher submitted the 0 day but got 0 return, so he/she went public. That's an assumption based on what happened last year.

      1. fm+theregister

        I would bet he used unofficial channels to make a bigger buck, and was crossed.. auf!

  7. Lee D Silver badge

    I have to say, for at least the last decade or so I have been led to assume that if you have the capability to execute code locally, then you have the capability to gain administrative privileges. It's really that simple.

    The fix, therefore, is to only let the code you want to run to run locally and deny everything else.

    I can't imagine there's a secure system in the world (e.g. military, etc.) that thinks it's a good idea to let a user run arbitrary code in any instance. Approved, verified-source, signed-off code only. Even then you can be compromised (e.g. escaping a web-browser sandbox, etc.).

    If a local user get can system privileges on a machine in so MANY different ways, you just can't assume that they won't try, and therefore have to design your security and systems to compensate as much as possible.

    The expectation for arbitrary code execution for anyone other than an administrator (already game over) or developer (who probably can mess up your system in a billion different ways, not least compiling exploit code into their programs) is something that I can't justify.

    1. John Robson Silver badge

      Agreed - but there are occasions when people manage to run code anyway.

      This is a failure in the next layer of defence - someone who conned your software (via a buffer overflow, or whatever) into running software shouldn't be able to get more rights on the system than that software had initially...

    2. Nick Ryan Silver badge

      It's multi-layer therefore execution rights followed by elevated rights on a local system is bad, however getting elevated rights in a domain (administrator) context is incredibly bad. Luckily this is somewhat harder, unfortunately it's definitely not impossible.

    3. Anonymous Coward
      Anonymous Coward

      I have to say, for at least the last decade or so I have been led to assume that if you have the capability to execute code locally, then you have the capability to gain administrative privileges. It's really that simple.

      So you have given up on multiuser systems?

      1. Anonymous Coward
        Anonymous Coward

        So you have given up on multiuser systems?

        In the majority of use cases, especially on Windows, "keeping honest people honest" is generally enough.

        An administrator would usually have some level of trust before granting access, and their would be some level of accountability.

    4. J27

      It would be at least a little better if applications were all automatically sandboxed by the OS like they are on Android or iOS. But it doesn't look like Microsoft is able to get any developer buy-in on that idea. It's a shame because it only hurts the end user. Of course, I'm a web developer who occasionally writes mobile apps, so porting legacy code to WinRT isn't really something I do. I imagine it's probably a huge pain.

      1. JohnFen

        "But it doesn't look like Microsoft is able to get any developer buy-in on that idea"

        I don't want that as an end-user, either. Optional sandboxing? Fine. Automatic sandboxing? Not fine, unless I can disable it.

      2. Anonymous Coward
        Anonymous Coward

        "a little better if applications were all automatically sandboxed"

        It does work on phones because the applications are still quite limited and mostly used in isolation by a single user. On a server or desktop PC where multiple different applications need to access, share and exchange data, it would become quite an issue.

        Windows 8 attempted it - UWP apps are sandboxed, but are also more limited.

        And still, bugs that allow to escape sandboxes do exist - in some ways "elevation of privileges" one are alike - user mode processes should be "sandboxed" by their limited privileges.

    5. Michael Wojcik Silver badge

      I can't imagine there's a secure system in the world (e.g. military, etc.) that thinks it's a good idea to let a user run arbitrary code in any instance.

      I don't know about "thinks it's a good idea", but I've seen a lot of supposedly "secure" systems1 - military, financial, medical, whatever - that let users run arbitrary code. Far more than the converse, in fact.

      If you think systems that people claim are secure commonly impose these sorts of restrictions, I'm afraid you're being wildly optimistic.

      1Which is a meaningless description anyway. Security isn't an absolute, and declarations of relative security mean nothing except in relation to a threat model.

  8. Pascal Monett Silver badge
    Facepalm

    "unaware of a practical solution to this problem"

    Well that's reassuring.

    MS continues its glorious history of selling swiss-cheese security to millions.

    Thank goodness XP, Vista, Windows 1 0 were all rewritten "from the ground up", otherwise we'd have the same bugs and exploits that we had in every previous version.

    Oh wait . . .

    1. JohnFen

      Re: "unaware of a practical solution to this problem"

      Yes, Microsoft deserves to be ridiculed for all the various times they've claimed that Windows has been "rewritten from the ground up".

      But, in all fairness to Microsoft, Windows is a very complex piece of software, and all software -- without exception -- has bugs, and the more complex, the more of them it has. This includes bugs with security implications.

      1. Anonymous Coward
        Anonymous Coward

        Re: "unaware of a practical solution to this problem"

        There's only one program we can prove MS re-wrote from the ground up...it is the one they "lost" the source code to when they had a little "anti trust" issue.

    2. Tom Paine

      Re: "unaware of a practical solution to this problem"

      You picked the wrong icon!

      Srsly though - of course they're unaware of a solution to the problem, it;'s a 0day. Hence the headline, which reads "Windows 0-day pops up out of nowhere Twitter".

  9. zb42

    first windows LPE that I remember

    The first windows LPE exploit that I was aware of was released in February 1999 by Dildog of the L0pht, almost twenty years ago.

    1. chuckufarley Silver badge
      Trollface

      Re: first windows LPE that I remember

      The first LPE I remember is everyone and their dog being able to use the Administrator account as a daily driver. Of course, Microsoft called it a "Feature" and those of us in the trenches felt the pain from it directly or indirectly.

      1. Anonymous Coward
        Anonymous Coward

        "and their dog being able to use the Administrator account"

        Tell developers who stubbornly kept on - and some still do today - writing in system directories and local machine registry keys... and those aren't the worst behaviour some application can show.

        1. Nick Ryan Silver badge

          Re: "and their dog being able to use the Administrator account"

          Largely because the idiots* didn't appreciate that not having full adminsitrator access to something was a good idea and therefore wrote everything on the assumption that every execution of their code would have full administrator access. It was also easier - laziness is the cause of many security issues.

          * I was such an idiot once... although admittedly many years ago. What I've always done since has been hijacked by buzzword bingo: DevOps.

          1. Anonymous Coward
            Anonymous Coward

            "I was such an idiot once..."

            Most of us were. Those who learnt programming in DOS and Windows 2.x/3.x didn't have to care about permissions and privileges. Just as soon I got a machine with NT4 I understood my code had issues, and old habits had to be forgotten to write better code.

            I like my job, and believe keeping my skills and knowledge up to date is essential. It looks other think it just pays the bills, and have to deliver what is asked them with the minimal effort. Changing habits and writing a little more code to cope with newer environments and requirements it's too much for them - and their managers. Many of them work for or sold their code to companies too big for MS to ignore them and enforce stricter rules and kill non-compliant applications.

            Anyway this vulnerability looks rooted again in something needed to make kernel calls faster - the bane of every operating system...

        2. Anonymous Coward
          Anonymous Coward

          Re: "and their dog being able to use the Administrator account"

          Tell developers who stubbornly kept on - and some still do today - writing in system directories and local machine registry keys... and those aren't the worst behaviour some application can show.

          I see you have also used software from Sage.

          1. robidy

            Re: "and their dog being able to use the Administrator account"

            Cisco wouldn't do that ha ha ha plop...

      2. Tom Paine

        Re: first windows LPE that I remember

        I hate to break this to you, but anyone can use root. It wouldn't be a very useful account if it couldn;'t be used, would it?

        Now, if you're talking about bad operational practices in GIVING users admin accounts... that's hardly Microsoft's fault, is it now?

  10. steamnut

    More cloud anyone?

    U$oft would like us all to log in to virtual cloud-based machines in the future. It's all part of their drip drip subscription model (ditto Oracle, Adobe etc). But, just imagine the chaos that would (will) ensue when the machines they they have total responsibility for go tits up or are compromised.

    Windows is clearly still a very flawed OS with U$oft trying to calm us with their regular patch updates. And yet the bugs still come.....

    It's bad enough that Azure and Office365 (more like 360) go offline for long periods of time but who knows what the affects would be of total shutdown.

    Thank goodness there are alternatives.

    1. Anonymous Coward
      Anonymous Coward

      Re: More cloud anyone?

      What makes you think the alternatives are as secure, much less more secure? The fact that they haven't had nearly as much scrutiny? How many vm escapes have happened in AWS, IBM,and Oracle clouds? Do you think you have accurate data?

    2. John Brown (no body) Silver badge

      Re: More cloud anyone?

      "U$oft "

      Who??

      1. Anonymous Coward
        Anonymous Coward

        Re: More cloud anyone?

        I believe they intended to write a "μ" (lowercase Greek Mu character - the metric notation for "micro" meaning 10-6) instead of the English letter "U." The dollar sign "$" substitutes for an English "S" because some people still think that's clever in 2018.

        With that in mind, it is pretty obvious that they are talking about Google.

      2. Crazy Operations Guy

        Re: More cloud anyone?

        "U$oft "

        Another of those convoluted ad hominem attempts at an insult. I presume they meant to use the greek letter "μ" (mu), which is used in measurement systems to indicate the prefix 'micro'. The dollar sign because that has been standard parlance.

        I'd give it a 8/10 for creativity, but a 1/10 for readability.

        Besides, to whose benefit is this? The vast majority of people commenting here are already quite familiar with Microsoft being greedy assholes and aren't going to argue with you about it. And its not like you have to obfuscate their name, Microsoft has much better things to do than to cruise a forum like this trolling for people that aren't fans...

        1. Anonymous Coward
          Anonymous Coward

          Re: More cloud anyone?

          ‘"U$oft " to whose benefit is this?’

          A more appropriate title would be Ubersoft :]

  11. Anonymous Coward
    Anonymous Coward

    Seems as though he has submitted quite a few bugs with CVE and had little credit

    Found a blogspot cached.

    http://webcache.googleusercontent.com/search?q=cache:Sroj-BmjiHcJ:sandboxescaper.blogspot.com/+&cd=4&hl=en&ct=clnk&gl=uk

    1. Nick Ryan Silver badge

      Re: Seems as though he has submitted quite a few bugs with CVE and had little credit

      If that's them then they have insecurity issues that should (please) be dealt with first rather than security issues.

      Honestly, I don't care what gender/sexuality/whatever someone identifies with as long as they're competent... but I do understand that it may need to be taken into account sometimes. I also know that, unfortunately, much of the world doesn't feel the same way. It read like that they needed to state personal issues as an excuse or an apology for finding security issues? It seems wrong, and perhaps somebody crying out for attention or help more than anything else.

      ...and no, I'm not intending to be nasty in any way.

  12. Zippy´s Sausage Factory
    Windows

    Now I'm just waiting for Microsoft to classify it as "not a problem, won't fix" because the steps to reproduce it are more than just clicking on a link in an email.

    Yes, I am cynical, thanks for asking...

    1. Waseem Alkurdi
      Joke

      "won't fix"

      That's Lennart Poettering, not Microsoft ... but the difference is little to none anyhow ...

      “The creatures outside looked from pig to man, and from man to pig, and from pig to man again; but already it was impossible to say which was which.” - George Orwell

  13. Mike Shepherd
    Meh

    Proactively

    It looks like Microsoft have a new definition of "proactively". Perhaps it's just another warm and cuddly word fetched from the shelf when trying to give a good impression, without much regard to the meaning.

  14. Anonymous Coward
    Anonymous Coward

    Not a problem for me

    I'm still running Windows XP so these bugs are not a big dea^&&F V!@#~+_?> 4568 NO CARRIER

    1. MyffyW Silver badge

      Re: Not a problem for me

      NO CARRIER you say? HMS Queen Elizabeth II and HMS Prince of Wales still run XP :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Not a problem for me

        Unless they get a "torpedo upgrade".

        1. bpfh

          Re: Not a problem for me

          Won't a torpedo upgrade create a new security hole?

          1. MyffyW Silver badge

            Re: Not a problem for me

            Such an "upgrade" might fix an OPEX hole in the Navy budget though.

  15. dmacleo

    gpo help?

    would using (on domain) the prohibit new task creation template possibly mitigate this a bit?

    if off domain no idea if template exists.

    have not messed around with it so no idea if useful or not.

    1. Waseem Alkurdi

      Re: gpo help?

      As far as I can see, that helps.

      But I'd remove the whole Task Scheduler service if I were you.

      1. bpfh

        Re: gpo help?

        And half a ton of other services that I do have some diffuculty understanding their reason for being, at least on a home PC...

      2. LewisRage

        Re: gpo help?

        > remove the whole Task Scheduler service

        That's a terrible idea.

        1. Anonymous Coward
          Anonymous Coward

          Re: gpo help?

          >> remove the whole Task Scheduler service

          > That's a terrible idea.

          Not a terrible idea, but it's impossible to disable Task Scheduler service from Windows 7 up to Windows 10.

          Tried it on XP and it can still be DISABLED on that old OS.

          1. Anonymous Coward
            Anonymous Coward

            Re: gpo help?

            It's a terrible idea because some maintenance tasks has been moved there instead of having always-running services. It became good practice also to use it i.e. for application updates checks instead of installing services that do only that and waste resources.

        2. Tom Paine
          Stop

          Re: gpo help?

          Remember the Bill Hicks bit about the annoying kid on the plane, who gets out of his seat and starts flipping at the cabin door emergency release? And the passenger next to Bill gets up to grab the kid, and Bill's, like, "Whoah - hold on a sec - we're about see someone learn a valuable lesson... "

          I turned on all the auditing options NT4 provided, not long after I first got it (my first ever real OS, a few months before attempting to set up dual boot Linux for the first time.) THAT was interesting, and a lesson learned.

  16. The Empress

    Who gives a shit anymore

    Windows is fucked. The end

    1. Mellipop

      Re: Who gives a shit anymore

      Oh don't say that. I bought a new W10 tablet last week.

      I'm gonna cry.

      Stopped now. Just realised I ordered a Pi3b to use as a dev server with my Chromebook.

      Anyone want to buy an Alcatel 12+2 with a known 0day hole?

      1. Anonymous Coward
        Anonymous Coward

        Re: Who gives a shit anymore

        with a known 0day hole

        Only 1? I'll have it!

  17. Maelstorm Bronze badge
    Joke

    Microsoft's *REAL* Response

    That Microsoft Guy:

    You are all mistaken. What is referred to as the ALPC bug is actually an obfuscated feature that we put in at the request of the NSA. It allows a user to gain system level privileges without having the the password to the Administrator account. It is to be used by users to perform admin tasks on the machine without actually bothering the admin. Eventually, we plan on expanding this feature so that the end users will be able to administer the networks they are connected to without needing a password. Therefore, lazy system administrators will be rendered redundant and can be laid off saving the company the unneeded expense of paying a dedicated person to administer the network.

    So what can possibly go wrong?

  18. Kev99 Silver badge

    You'd think that after decades of windows coding the idiots in Redmond would know how to NOT introduce vulnerabilities into their products. Either that, or they just don't give a rat's rear.

    1. Anonymous Coward
      Anonymous Coward

      With each version of the Linux kernel turning up with thousands of bugs/vulnerabilities each year (not my figures either), what's the average user supposed to do? Windows is worse, but not by all that much.

      1. Vocational Vagabond
        Trollface

        Ah but ... with a linux bug, no NDA is required for remedy, so it can be seen by all, and actioned after a peer reviewed pull request.... Can't do that in windows land, but then community spirit is a paid thing there, I'd wager.

  19. Anonymous Coward
    Windows

    However, in a well run shop...

    Exchange online protection safe attachment will drop this from an incoming email.

    Applocker will prevent unsigned code being run by the user from USB

  20. MCMLXV
    Headmaster

    A bit late to the fray, but...

    Could somebody please tell me what the fuck "proactively update impacted advices" means?

    Oh, and while I'm here... @steamnut: learn the difference between "affects" and "effects".

  21. Anonymous Coward
    Anonymous Coward

    Not allowed to

    Discover a new CPU flaw, in chips ranging from low end Core i3 to high end Core i8, and call it "MAINSTRIKE" because SPECTRE was taken already.

    Pretty nasty issue which can allow Ring 0 ownage from any open port, including: headphones, USB, those horrible little connectors on the motherboard, the speaker pins, microphone, video port (VGA through to HDCP), drive connector, BIOS battery, power supply control (green wire), CPU core regulator feedback, CPU temperature sensor...

    You'd have to literally flash a custom scratch built (ie no keychain) BIOS for mitigation and even then there would be no guarantee apart from assume you've been owned six ways from Sunday and pray. Hard.

    (apologies to Ian Fleming)

  22. Anonymou5 Coward
    Linux

    "Proactively" after POC was posted?

    1. Tom Paine
      Facepalm

      Right, because they should have fixed it before they knew about it.

  23. Rob E
    Trollface

    Sorry to be a pedant but

    When M$ says “proactively update impacted advices as soon as possible.”, presumably they actually mean "Reactively update impacted devices"

  24. wallyhall

    Is this why MS bought GitHub?

    I’m just wondering - maybe so they could control such github accounts?!

    Saves a bit of face!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like