Windows Zero-day vulnerability capable of deleting files uncovered
What's the story
A new zero-day vulnerability that can be exploited to delete Windows system files has been uncovered by a security researcher.
The researcher, who goes by the name SandboxEscaper, uncovered the bug on Twitter by presenting a proof-of-concept code.
It affects all recent versions of Windows 10, including the latest October 2018 Update, and still remains unpatched.
Here are more details.
The problem
The bug can be exploited to delete Windows system files
The bug, second zero-day vulnerability to be discovered by the researcher, affects Microsoft Data Sharing service (dssvc.dll) - a local service for data brokering between applications.
When exploited, it can lead to privilege escalation, where the attacker can gain admin rights to compromise protected resources on the system.
Then, they can delete system DLLs, provide malicious ones to compromise programs, or take other actions.
Information
Only select Windows machines affected
The bug affects all Windows 10 versions as well as Windows Server 2016 and 2019. Windows 8.1 and other previous versions aren't at risk because they don't seem to have the Data Sharing Service (dssvc.dll) in question here.
Exploitation
However, it is a 'pain' to exploit
Though the bug poses a risk to Windows security, SandboxEscaper has called it low quality and a plain to exploit.
It is also worth noting that security experts claim the new vulnerability is quite similar to the one flagged in late August.
However, unlike the previous one, the latest vulnerability (code on GitHub) doesn't write garbage files but actually deletes them and crashes Windows.
Solutions
How to stay protected?
Though bugs like these are difficult to exploit, ACROS Security has released a micro-patch through its OPatch platform to block exploitation attempts until Microsoft issues an official fix.
Microsoft's fix for the last vulnerability came in September and we can expect something similar in the coming weeks.
"Our standard policy is to provide solutions via our current Update Tuesday schedule," the company told ZDNet.
Twitter Post
Patch to block the vulnerability
7 hours after the 0day in Microsoft Data Sharing Service was dropped, we have a micropatch candidate that successfully blocks the exploit by adding impersonation to the DeleteFileW call. As you can see, the Delete operation now gets an "ACCESS DENIED" due to impersonation. pic.twitter.com/qoQgMqtTas
— 0patch (@0patch) October 23, 2018