Windows 10 versions 1809 and newer suffer from a vulnerability that can grant system privileges to hackers. Microsoft is still investigating the problem, but it has issued a workaround.

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” a Microsoft security bulletin explains. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

US-CERT provides a bit more detail.

“With a successful exploit, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to extracting and leveraging account password hashes, discovering the original Windows installation password, obtaining DPAPI computer keys, which can be used to decrypt all computer private keys, [and] obtaining a computer machine account, which can be used in a silver ticket attack.”

The good news? These possibilities require the PC to be using Volume Shadow Copy Service (VSS) shadow copies. And an attacker must have the ability to execute code on a victim system before they can exploit this vulnerability, so the system has to have been exploited some other way first.

This new vulnerability was discovered by a security researcher who described an anomaly with the SAM that allowed system access. The issue was later confirmed by Microsoft, which is still investigating and will presumably issue a fix.

For now, however, Microsoft’s security bulletin describes a workaround that involves restricting access to a particular folder and then deleting VSS shadow copies, an act that could impair future restore operations using Microsoft or third-party tools.

And if it makes you feel any better, security researchers also discovered two similar escalations of privilege vulnerabilities in Linux. You can learn more from Qualys here and here.

Tagged with Security