If you are unfamiliar with LPE vulnerabilities, they are a common in the latter parts of attacks. Bad actors cannot use LPE’s to access a system, but they can elevate access once a host has been compromised. For example, increasing access from low-level to admin-level. The Windows 10 zero-day described in GitHub is located in the Windows Task Scheduler. By running a nefarious .job file, hackers can exploit the way Task Scheduler changes DACL (discretionary access control list) permissions for each individual file. Through the exploit, attackers can elevate their system privilege and gain control over a whole machine. Security researchers have tested the Windows 10 vulnerability on 32-bit systems, but it would theoretically work across other Windows versions, including legacy builds like Windows 7 and XP. SandboxEscaper is the researcher who published the zero-day and has a history of finding and releasing Windows vulnerabilities. She is a controversial figure because he releases the zero-day’s without informing Microsoft about them. This is a problematic strategy because it puts the vulnerability in the wild before Microsoft has a chance to issue a fix.
Big Business
Earlier this month, we reported how Windows zero-day vulnerabilities have become big business for hackers. Over three years, a secretive bad actor has been selling Windows zero-days. Security firm Kaspersky Lab says the exploits have been sold to cyber-crime groups and at least three cyber-espionage organizations. So-called APTs (advanced persistent threats) are government-backed groups who purchase exploits from third parties.