back to article Worrying Windows 10 wrecking-ball weapon weirdly wanders wildly on worldwide web

A skilled Microsoft bug hunter with a penchant for public disclosures via Twitter has openly floated a new Windows 10 zero-day flaw. The researcher, who goes by the pseudonym SandboxEscaper, says the bug is present in the code handling advanced local procedure calls (ALPCs). It can be exploited by a malicious logged-in user or …

  1. Alister

    Windows 10

    The gift that keeps on giving...

    1. Anonymous Coward
      Trollface

      Re: Windows 10

      The gift that keeps f*cking up your computer !

      1. Someone Else Silver badge

        Re: Windows 10

        This is a gift?

        1. ma1010
          Coat

          Re: Windows 10

          @ Someone Else

          This is a gift?

          Absolutely! But they were speaking German, in which language "Gift" = "Poison."

          1. TwistedPsycho

            Re: Windows 10

            This is a gift?

            Absolutely! But they were speaking German, in which language "Gift" = "Poison."

            The Germans are crafty, they like going to the Redmond Cathedral because it has a 123ft spire that looks like Bill Gates.

            1. Usermane

              Re: Windows 10

              But they don't seems so smart

              https://www.theregister.co.uk/AMP/2018/07/27/lower_saxony_to_dump_linux/

              As they back to the "gift".

  2. vtcodger Silver badge

    How?

    "The researcher, who goes by the pseudonym SandboxEscaper, says the bug is present in the code handling advanced local procedure calls (ALPCs)..."

    In case anyone else is curious:

    "Advanced Local Procedure Calls (ALPCs) An advanced local procedure call (ALPC) is an interprocess communication facility for high-speed message passing. It is not directly available through the Windows API; it is an internal mechanism available only to Windows operating system components."

    Apparently Windows 10's internal communications channels aren't as internal or private as they hoped. Kind of ironic isn't it?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: How?

      available only to Windows operating system components

      Maybe Edge browser?

    2. Michael Wojcik Silver badge

      Re: How?

      an internal mechanism available only to Windows operating system components

      This is meant in the sense "it's not documented and you're not supposed to look at it", not "there's some security boundary that prevents hoi polloi from invoking it".

      You can find several explanations of ALPCs and how to call them online, such as this.

  3. nematoad
    FAIL

    Snap.

    "..with the added twist of the attacker now being able to wipe files."

    Oh? I thought that the OS already did that for you.

    1. phuzz Silver badge
      Facepalm

      Re: Snap.

      They're never going to live that down are they?

      In ten years, in comment threads, we're still going to be getting jokes along the lines of "yeah but Windows will delete all your data".

      1. Scunner

        Re: Snap.

        And for good reason. Randomly deleting your files must be number 1 on the list of things that an OS shouldn't do.

        1. phuzz Silver badge

          Re: Snap.

          Well yes, but other OS's seem to get a slightly easier time of it than Windows.

          I had a nasty bug in a grub update towards the start of the year that prevented a bunch of systems from booting*, but it never made it as far as the front page of elReg.

          * (not technically data loss, except that these systems used LUKS encryption and recovering the data turned out to be a lot more complicated than running undelete on a Windows system.)

          1. billdehaan

            Re: Snap.

            I've bricked my share of machines over the decades, from embedded video and MP3 players, and simpler time Z80 CP/M boxes to modern i7 based Ubuntu machines. I've even brought down a Control Data Cyber back in the day, and several Vaxen.

            However, none of those compares with scrubbing user data at the vendor level. Microsoft has had bad rollouts before that have bricked huge swaths of the user base, at the cost of time and money. So have IBM, Dec, Apple, and many application vendors.

            But deleting user data is a different story. And this was not as the result of a user operation, it was inflicted on users by the vendor. That alone makes Microsoft's cockup much worse, and singles them out for well-deserved scorn.

            If Apple pushed out an update that locked every iPhone for 24 hours, it would be a disaster as well, but it they were able to return the phones to their previous state, it would be an "outtage". But for people with 80GB of user data, waking up to find that they only have 1GB of user data left, because an unrequested Microsoft update scrubbed 79GB of is an unparalleled screw up, and Microsoft well and truly deserves to have their noses rubbed in it for a decade to come.

            And I say that as some who, while not exactly a cheerleader for Microsoft, has been referred to as an "apologist" because I happily ran a Windows Phone for several years.

            Screwing up an update is one thing. Deleting user data is something else, and falls into the "you had one job" level of screwup.

  4. Destroy All Monsters Silver badge
    Black Helicopters

    Ever-morphing killer bug more persistent than an Xenomorph in a Space Trucker cargo ship

    Now, could it be that that bug hunter has "sources" at the NSA?

    Also:

    “Microsoft has a strong commitment to security and a demonstrated track record"

    Okay ... "Microsoft has a strong commitment to cash flow and a demonstrated stuck record"

    1. J. Cook Silver badge
      Coat

      Re: Ever-morphing killer bug more persistent than an Xenomorph in a Space Trucker cargo ship

      Also, a track record of releasing bugs in their flagship OS bad enough to make square pigs look appetizing.

      Mine's not the company driver suit.

    2. Michael Wojcik Silver badge

      Re: Ever-morphing killer bug more persistent than an Xenomorph in a Space Trucker cargo ship

      could it be that that bug hunter has "sources" at the NSA?

      Assuming the "bug hunter" in question is SandboxEscaper: It's certainly possible, but hardly necessary. There was a HITB talk a couple years back about finding and fuzzing ALPCs. It's a well-known area for Windows security research in the hacker community. This is just a typical "Microsoft provided a service with elevated privileges and didn't establish the correct boundaries" bug.

  5. DJV Silver badge
    Facepalm

    Security

    But... but... but... Microsoft have been telling us for years that their latest OS is the fastest, best, most secure etc.?

    I'm beginning to suspect that they derive their levels of fastness, bestness and most secureness something like this:

    secLevel = abs (get_security_level ());

    if (secLevel > previousWindowsSecLevel) printf ("Hey look, it's more secure!");

    1. Alister

      Re: Security

      No, that's what they meant to code, however, nobody picked up the typo:

      if (secLevel < previousWindowsSecLevel) printf ("Hey look, it's more secure!");

    2. Usermane

      Re: Security

      Probably some people need to fast few days to pay somebody to fix the problems that windows made.

  6. David Adams

    Monthly Updates?

    "That also likely means that Microsoft will opt not to issue an out-of-band update for the coding cockup, and wait until next month's Patch Tuesday to post a permanent fix for the vulnerability."

    Have you not seen the updates for Windows10 recently? They are almost weekly not monthly!

    A new patch for 1803 dropped yesterday, 1709 and 1607 were patched on the 18th these are all in addition to the "Monthly" patch that dropped on the 9th.

    1. Usermane

      Re: Monthly Updates?

      Yes, patches, patches for the patches, patches for the patches of the patches...

      1. onefang

        Re: Monthly Updates?

        "Yes, patches, patches for the patches, patches for the patches of the patches..."

        Which is why we are now talking about "micropatches".

        Big fleas have little fleas upon their backs to bite 'em,

        And little fleas have lesser fleas, and so, ad infinitum.

        ...

        1. Usermane

          Re: Monthly Updates?

          But in this case seems that the big fleas had bigger fleas upon their back and so.

          1. onefang
            Pint

            Re: Monthly Updates?

            Ah, that's the other half of Augustus De Morgan's poem "Siphonaptera" that no one ever quotes. The entire thing is -

            Big fleas have little fleas upon their backs to bite 'em,

            And little fleas have lesser fleas, and so, ad infinitum.

            And the great fleas, themselves, in turn, have greater fleas to go on;

            While these again have greater still, and greater still, and so on.

            Have a beer, likely there's no fleas in it.

      2. Rich 11

        Re: Monthly Updates?

        Yes, patches, patches for the patches, patches for the patches of the patches...

        More patches than the jacket of a 1970s Open University lecturer.

  7. Anonymous Coward
    Anonymous Coward

    Sorry, but ...

    New zero day flaw: 'It can be exploited by a malicious logged-in user or malware on an already infected computer' ...

    Last December's RID hijacking: 'The technique requires a hacker to obtain administrative rights on a box, and can be used to assign admin rights to other users and guests.'

    So to summarise both of these techniques rely on the attacker *already being an admin on the machine.* So the game is already up, the Visigoths are already inside the gates, and the attacker could install what they like and wreak all sorts of havoc without going to the trouble of mucking about with reg keys etc.

    The 1809 update; that's a monumental cockup and MS deserve all the heat they're getting for that. This, not so much.

    1. MJB7

      Re: Sorry, but ...

      The canonical expression is that "the attacker is the wrong side of the air-tight hatchway". At least it is if you read "The Old New Thing" by Raymond Chen (and you should).

      1. Anonymous Coward
        Anonymous Coward

        Re: Sorry, but ...

        Already do, just couldn't remember the canonical phrasing (and couldn't be bothered to look it up) at the time of posting :)

    2. Michael Wojcik Silver badge

      Re: Sorry, but ...

      So to summarise both of these techniques rely on the attacker *already being an admin on the machine

      Today's ALPC vulnerability does not require admin privileges. Technically it doesn't require local user, either; but in practice it probably requires that and the ability to create or download a program, since you're unlikely to find suitable gadgets in anything you can overflow and ROP.

      The RID hijacking vulnerability does require elevation, but that's not the point. It's a concealment technique, not an elevation one: you can use it to grant administration-level access to any SID without adding that SID to the Administrators group or granting it additional system privileges.

      This is not very complicated. You and your eight upvoters might try reading a bit before you dismiss these issues.

  8. bombastic bob Silver badge
    Devil

    safe surfing

    1. never surf the web logged in as an 'administrator' (group or otherwise)

    2. never surf the web using a micro-shaft browser

    3. avoid surfing the web from windows, if possible (especially windows 10)

    4. use a white-listing script blocker such as 'noscript'

    5. never read (especially preview) e-mails as HTML (or with inline attachments)

    6. never just 'open' downloaded files. save to disk, first. Same with e-mail attachments.

    7. Don't use the shell to open (i.e. double-clicking in a file browser). Use the correct application, and 'File Open'. (this avoids the problem of executable files hiding as something else via the extension)

    etc.

    yeah, THESE rules probably mitigate this particular 0-day, at least to SOME extent. That goes TRIPLE for the one about being an administrator. that was sorta mentioned in the bootnote...

    1. Usermane

      Re: safe surfing

      8. Never surf the web with windows, use a live Linux instead.

      1. nematoad
        Thumb Up

        Re: safe surfing

        "8. Never surf the web with windows, use a live Linux instead."

        Yes indeed.

        TAILS will do nicely.

    2. ArrZarr Silver badge

      Re: safe surfing

      3. avoid surfing the web from windows, if possible

      That'll do a pretty good job of saving you from this particular 0-day as it's windows specific.

    3. Anonymous Coward
      Anonymous Coward

      Re: safe surfing

      "6. never just 'open' downloaded files. save to disk, first."

      What difference does that make? Wouldn't Windows open it with the same application, just from a different folder (Temp vs Downloads)?

      Asking for a friend, of course.

  9. Captain Badmouth
    FAIL

    "It can be exploited by a malicious logged-in user or malware on an already infected computer to arbitrarily delete or tamper with anything from application .dll files to critical system components."

    The silly man has just discovered the latest windows update.

  10. Dave 15

    oh God

    Another update coming, my creaking and groaning machine will slow down even more. It already takes so long to boot that I not only get a cup of tea but lunch as well. My little take on trip laptop can manage 1 application at a time without running out of memory, is perpetually showing 100% processor use while doing no more than sitting idle with a browser open

    1. onefang

      Re: oh God

      A recent update of Windows on a not particularly fast laptop I had enough time to walk home, eat dinner, watch TV, sleep, eat brekky, walk back to the office, and still had to wait an hour for it to finish.

  11. Anonymous Coward
    Stop

    If you're on Windows 10...

    ...it seems a very good time to start planning your migration off it. Microsoft has lost control of the beast. No-one can afford to run their business or indeed personal life on this pile of fail.

  12. adam payne

    “Microsoft has a strong commitment to security"

    Just not privacy.

    1. Tigra 07
      Facepalm

      "Microsoft has a strong commitment to security

      Just not privacy."

      Or bug testing apparently...

  13. Tigra 07
    Linux

    What more can i say...

    *Cough*

  14. el_oscuro
    Coat

    Delete files?

    I thought Microsoft already added that feature to Windows 10 with build 1809.

    Mine is the one with the USB backup in the pocket.

    1. whitepines
      Trollface

      Re: Delete files?

      Don't plug that USB drive into a Windows machine -- it might just upload all the files to the Microsoft cloud for "intelligence gathering", Email the more intimate files to your professional contacts, and secure erase the USB drive for good measure....

  15. dnicholas

    "Attackers never stop thinking of new ways to abuse our customers and neither do we" - Windows 10 developer, October 2018

  16. Bitsminer Silver badge

    new Microsoft slogan

    "We're not happy until you're not happy."

    "Borrowed" from Air Canada.

  17. thosrtanner

    what's with wild wacky awwitewation?

    I had numb wips after weading the article title out woud

  18. Claptrap314 Silver badge

    At some point

    Microsoft is going to decide it's cheaper to hire this guy for $10M/year so that he'll have to keep quiet...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like