- An attacker could exploit the vulnerability to elevate user privileges on a system to which he already has access.
- The proof-of-concept is published on GitHub.
A new Windows zero-day vulnerability was disclosed on Twiter for the second time in two months. The vulnerability affects the Microsoft Data Sharing (dssvc.dll) service that provides data brokering between applications and runs as a LocalSystem in a shared process of svchost.exe.
An attacker could exploit the vulnerability to elevate user privileges on a system to which he already has access. A security researcher, who goes by the Twitter handle @SandboxEscaper disclosed the vulnerability on Twitter. The researcher has also published a proof-of-concept (PoC) on GitHub.
Many other security experts also confirmed the validity of the PoC, adding that the zero-day bug affects all recent versions of the Windows 10 operating system (including the October 2018 update), Server 2016, and even the new Server 2019, according to a report by ZDNet.
About the vulnerability
The new zero-day vulnerability was much more similar to the previous one disclosed at the end of August this year. According to security researcher Kevin Beaumont, the new zero-day vulnerability is also almost identical to the one SandboxEscaper also previously published on Twitter.
"It allows non-admins to delete any file by abusing a new Windows service not checking permissions again,” Beaumont said.
The risk posed by the new bug
When the first zero-day was disclosed by SandboxEscaper on Twitter, various cybercriminals took advantage of the vulnerability and integrated the PoC code published on Github within their cyber threat campaigns.
However, the first zero-day was patched by Microsoft along with the September 2018 Patch Tuesday updates.
Now, security researchers believe that hackers could leverage the newly released zero-day as well, and use it in fresh malware campaigns targeting Windows users. As both the vulnerabilities share similarities in terms of the risk posed, researchers believe that the new zero-day could be exploited to delete OS files or DLL’s and replace them with malicious versions.
Founder and CEO of ACROS security, Mitja Kolsek advised users not to run the SandboxEscaper’s PoC, as it is capable of deleting crucial Windows files. This, in turn, results in crashing the operating system and forcing users to restore the OS.
Also, Kolsek’s company released a micro-patch (called 0patch) that could block any exploitation attempts until Microsoft releases a fix for the zero-day vulnerability. Kolsek also added that his team is working on a micro patch that applies to all affected version of Windows.