If you have a Windows-based PC running Windows 10 that just received a security update in May 2019, chances are your computer may have a major security flaw, leaving it open to hacking.
A security researcher who calls herself ‘SandboxEscaper’ on GitHub has published the flawed code on GitHub that shows how a hacker can enter the computer at the root level and gain administrator privileges to wreak havoc from within.
This flaw also known as a “zero-day vulnerability” first reported by ZDNet, is what security researchers call a “local privilege escalation (LPE)”. It is called a zero-day vulnerability because it is a flaw known to the software vendor that still doesn’t have a patch in place to fix the flaw. This can be exploited by cybercriminals.
While bugs are not uncommon, this security flaw is a bigger issue than it seems. This is because it opens up admin level privileges to anyone who gains access to the machine. This can make even minor malware powerful enough to cause widespread damage to the machine.
Here’s a simulation of the code posted by ZDNet.
The security researcher SandboxEscaper found the vulnerability in an innocuous Task Scheduler in Windows. Exploiting this an attacker can access the system level files of the machine and then take control of it.
The issue here is that until Microsoft issues a patch for this flaw, your machine will remain exposed to vulnerabilities. The fact that this flaw rolled out with the May 2019 update of Windows 10 means you will probably have to wait until mid June for the next security update to roll out and fix the flaw. Unless, Microsoft gets to the task quicker.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)