Windows 10 zero-day security hole gets publicly outed

Windows 10 Redstone 4

A zero-day vulnerability in Windows 10 has just been made public, and it’s a hole that could potentially be exploited to take control of your PC.

The security flaw was revealed by Twitter user SandboxEscaper in controversial fashion – more on that later – and it’s a privilege escalation bug (with a proof of concept provided).

CERT/CC (the US cybersecurity organization which looks to counter emerging threats) has confirmed that this vulnerability can be leveraged against a 64-bit Windows 10 PC which has been fully patched up to date, as The Register reports.

It offers a route to gain local privilege escalation, as mentioned, meaning a malicious party could hijack the PC, but the good news – such as it is – is that it’s a local bug, so the attacker would have to be already logged into the PC to exploit it, or be running code on the machine.

However, the latter means there’s the potential avenue of getting a user to download a malicious app, and infecting the PC that way, of course. So this isn’t something that should fly under your radar – as ever, be careful what you download, and where you download it from.

Colorful revelation

SandboxEscaper revealed the bug using, shall we say, colorful language, so we won’t reproduce the tweet here, but assuming you’re not offended by profanity, you can check it out.

Suffice it to say it seems that someone got frustrated with Microsoft’s procedures for submitting bugs and vulnerabilities, and decided just to go ahead and publicly out the vulnerability instead. SandboxEscaper now seems to regret her actions, though, as she subsequently tweeted: “I screwed up, not MSFT (they are actually a cool company). Depression sucks.”

On its part, Microsoft has declared that it will “proactively update impacted devices as soon as possible”, so that means a patch is doubtless in the works, although the software giant hasn’t deemed it necessary to release any kind of emergency fix for this issue. We can probably expect the cure for the flaw to arrive in next month’s round of security updates.

Meanwhile, in other security-related news, last week Microsoft deployed a fresh batch of Intel’s microcode updates for Windows 10 which defend against the recently discovered Foreshadow vulnerability (and further variants of Spectre).