After disclosing a zero-day vulnerability in Microsoft Windows' Advanced Local Procedure Call system at the end of August on Twitter, the SandboxEscaper security researcher released another 0-day this time affecting the Microsoft Windows Data Sharing Service (dssvc.dll).
A number of security researchers who looked into the vulnerability and tested the Proof Of Concept (PoC) also released on GitHub found out that it would allow a potential attacker with local access to the Windows machine to gain elevated privileges and delete any file from the system, an action which would otherwise require admin privileges.
Multiple researchers said that SandboxEscaper's new Microsoft Windows zero-day only affects recently released Windows versions, Mitja Kolsek confirming that it affects Windows 10 and Server 2016, while Kevin Beaumont stated that Microsoft's Server 2019 can also be compromised by the PoC.
Although this is a zero-day security bug and, according to SandboxEscaper and some other researchers, it is also quite hard to exploit, once attackers would manage to compromise a machine they could severely cripple the target.
This is the second Microsoft Windows zero-day released by SandboxEscaper on Twitter in just two months
SandboxEscaper's PoC stands witness to the seriousness of this Windows 0-day seeing that once you run it on your computer, it will delete the pci.sys file, crashing it and rendering the machine unbootable.
As discovered by Kolsek, CEO of ACROS Security, there are mitigations to this Windows zero-day on some systems; on Windows Server 2016, for example, the User Access Logging Service will prevent the vulnerable Data Sharing Service from starting effectively preventing an eventual exploitation attempt.
ACROS Security, the company behind the 0patch micropatch deployment platform, released a "micropatch candidate that successfully blocks the exploit by adding impersonation to the DeleteFileW call" seven hours after this new Microsoft Windows zero-day was shared on Twitter.
At the moment the micropatch candidate issued by 0patch blocks the exploit on Windows 10 and Windows Server 2016 vulnerable systems, and vulnerable computers running Windows Server 2019 will have to wait a little longer for a future micropatch or an official security update fixing the issue provided by Microsoft.