The security researcher SandboxEscaper announced via Twitter that they had uncovered a new zero-day exploit, called Windows Deletebug.exe. The vulnerability was described as “a low-quality bug that is a pain to exploit,” but it still caused concern (as any zero-day should). The reason for this has to do with the fact that it allows powerful results if an attacker does manage to exploit it.
In his own Twitter analysis, the Manchester-based InfoSec researcher Kevin Beaumont stated the following about the exploit’s effects:
So this works. Windows 10 and Server 2016 (and 2019) only. It’s similar to Task Scheduler exploit, it allows non-admins to delete any file by abusing a new Windows service not checking permissions again.
He then added the following warning:
By the way don’t run this in production (obviously) as it renders system unbootable.
In the hands of a skilled hacker not afraid of a challenge, that challenge being accessing a machine and exploiting the zero-day, the damage done to a target network could be rather significant. In an email exchange with Tara Seals of Kaspersky Lab’s Threatpost, head researcher at Tenable, Tom Parsons, had this to say:
This could be exploited to facilitate lateral movement within an organization or even potentially destructive purposes – such as deletion of key system files, rendering a system inoperable... given that it affects both server and client operating systems, and with Windows 10 the second-most prevalent MS desktop/client OS after Windows 7, will also make this attractive to attackers... To put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability.
While there is no word yet from Microsoft as to when the Windows Deletebug will be patched, 0patch announced that they had created a micropatch to hold users over. The announcement was on Twitter where the company made Windows create an “Access Denied” notice when the delete option is executed as a result of impersonation.
Because the Windows Deletebug is hard to exploit, some may brush off this zero-day. Doing so would be a mistake, and I recommend the micropatch until Microsoft creates a proper fix.
Featured image: Freerange Stock