Sources

• https://www.darkreading.com/application-security/powerpool-malware-uses-windows-zero-day-posted-on-twitter/d/d-id/1332743
• https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/

Risks

CERT.be recommends systems administrators to install the latest updates when they will be available. Microsoft did not patch the ALPC bug to this day, but it is expected to release a fix in its monthly security updates on September 11. The vulnerability presents the following risks: Local Privilege Escalation.

Recommended Actions

Microsoft should release an update for this vulnerability in their monthly security updates on September 11. Meanwhile there is a workaround (not approved by Microsoft, proceed with caution!).

Set ACLs on the C:\Windows\Tasks directory

Karsten Nilsen has provided a mitigation for this vulnerability. This change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.

To apply this mitigation, run the following commands in an elevated-privilege prompt:

icacls c:\windows\tasks /remove:g "Authenticated Users"

icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)

Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:

icacls c:\windows\tasks /remove:d system

icacls c:\windows\tasks /grant:r "Authenticated Users":(RX,WD)

Source : https://twitter.com/karsten_nilsen/status/1034406706879578112 ​