Windows 10 versions 1809 and later suffer from a vulnerability that could allow hackers system privileges. Microsoft is still investigating the problem, but it has issued a solution.
“There is an elevation privilege vulnerability due to overriding access control lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” explains a security bulletin from Microsoft. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. ”
US-CERT gives a little more detail.
“With successful exploitation, a non-privileged user can exploit access to these files for a variety of purposes, including but not limited to extracting and exploiting hash account passwords, discovering the original Windows installation password, obtaining DPAPI computer keys, used to decrypt all the computer’s private keys, [and] obtain a computer account, which can be used in a silver ticket attack. ”
The good news? These capabilities require the PC to use Volume Shadow Copy Service (VSS) shadow copies. And an attacker must have the ability to execute code on a victim system before they can exploit this vulnerability, so the system must have been exploited in a different way first.
This new vulnerability was discovered by a security researcher who described an anomaly with SAM that allowed system access. The problem was later confirmed by Microsoft, which is still investigating and will probably fix a solution.
For now, however, Microsoft’s security bulletin describes a solution that involves restricting access to a specific folder and then deleting VSS shadow copies, an action that could impair future recovery operations using Microsoft or third-party tools.
And if it makes you feel better, security researchers also discovered two similar escalations of vulnerabilities in Linux. You can learn more from Qualys here and here.
Marked with safety