A Windows ALPC vulnerability that has been exploited in the wild for two weeks was finally patched by Microsoft as part of the September 2018 Patch Tuesday release.
The Windows Advanced Local Procedure Call (ALPC) flaw was disclosed with proof-of-concept exploit code on Aug. 27, 2018, by Twitter user SandboxEscaper. The vulnerability affects the Windows Task Scheduler and can allow an attacker to obtain elevated system privileges.
Microsoft noted the issue would require an attacker to log on to the target system. The vendor labeled the Windows ALPC flaw (CVE-2018-8440) as “important,” but not “critical,” in its Patch Tuesday advisory, despite the vulnerability being actively exploited in the wild.
On Sept. 5, Matthieu Faou, malware researcher for ESET, based in Bratislava, Slovakia, first reported seeing a group called PowerPool exploiting the Windows ALPC vulnerability in the wild over the previous week. Faou noted the group did not reuse the proof of concept released by SandboxEscaper and instead modified it slightly.
Allan Liska, threat intelligence analyst at Recorded Future in Somerville, Mass., said this meant PowerPool added the exploit to their arsenal of tools within 48 hours of the exploit being published on Twitter. But it is still unclear how widespread the attacks have been.
“The challenge is that PowerPool is a relatively new group, and they don’t have a large footprint in terms of exploitation — at least as far as we can tell. So, there isn’t a good way to gauge the extent of the damage,” Liska said via email. “As far as Microsoft’s decision, even though the vulnerability was being exploited in the wild, because it is not a remote access vulnerability, nor a critical one, Microsoft probably made the correct decision not releasing an out-of-band patch.”
Although Microsoft chose not to release an out-of-band patch for the Windows ALPC flaw, a third-party patch from micropatching vendor 0patch was released on Aug. 30. Mitja Kolsek, co-founder of 0patch, noted in a blog post that the patch they released was “functionally identical” to the patch released by Microsoft.
Chris Goettl, director of security product management at Ivanti, based in South Jordan, Utah, said consistency is key with update cycles to help plan maintenance. But “on the flip side, security researchers and threat actors do not have set schedules.”
“An exploit can be developed and be released at any time and cannot be planned for. If a researcher finds a threat and the threat is considerable, there should be some urgency put around getting a resolution in place,” Goettl said via email. “In this case, it seems it should have been reasonable to keep this update in the normal update cycle. If it would have been remotely exploitable without authentication and in a protocol like SMB — think Eternal family of exploits — or something of a similar more dire nature, it would have warranted an out-of-band release.”