A couple of days after publicly disclosing the Microsoft Edge vulnerability, Google has now disclosed yet another new vulnerability in Windows 10, though the company say that it’s just a coincidence that the two flaws have been publicly disclosed in a short period of time. Google’s Project Zero team has publicly exposed a security flaw in Windows 10 Fall Creators Update (version 1709).
Google’s Project Zero program, security researcher, James Forshaw claims that the vulnerability can be exploited because of the way Windows 10 handles calls to Advanced Local Procedure Call (ALPC). This basically allows the standard user to obtain administrator privileges on Windows 10, which could be misused.
There are actually two bugs in this feature, named 1427 and 1428. Both of them were reported to Microsoft in November, but only 1427 has been addressed with Windows 10 cumulative updates released earlier this month, apparently because Microsoft found it to be more critical.
While Microsoft hasn’t patched the 1428 vulnerability, it should not be an issue as the software giant says it’s not a critical vulnerability. Microsoft has labelled this flaw as important but not critical, and the researcher explains that 1428 could not be exploited remotely as it requires additional steps.
“In order to execute the exploit you’d have to already be running code on the system at a normal user privilege level. It cannot be attacked remotely (without attacking a totally separate unfixed issue to get remote code execution), and also cannot be used from a sandbox such as those used by Edge and Chrome. The marking of this issue as High severity reflects the ease of exploitation for the type of issue, it’s easy to exploit, but it doesn’t take into account the prerequisites to exploiting the issue in the first place,” the researcher says.
You can expect the fix for the unpatched vulnerability next month, but as Google has publicly disclosed it, the fix might be arriving sooner than estimated.