ADVISORY: Plan to patch for Windows vulnerability

Wednesday, August 29, 2018

This message was sent to U-M IT staff groups via email on August 29, 2018. It is intended for U-M IT staff who are responsible for university machines running Windows.

Summary

A Windows zero-day vulnerability has recently been made public and verified by US-CERT. For now, it appears that Microsoft has begun working on a patch for likely release on its next scheduled Patch Tuesday, September 11. Please plan now to apply the patch when it is released.

Problem

There is a local privilege escalation security vulnerability in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems.This could allow a local user to obtain system privileges. An attacker would need to have a way to execute commands on the machine to take advantage of this vulnerability.

Affected Versions

CERT has verified that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. It is unclear at this point which other Windows versions are affected.

Action Items

Plan now to apply the patch for this vulnerability, after appropriate testing, when it is released. It appears a patch will be released on Microsoft's next Patch Tuesday, September 11, although that could change.

Threats

There is no known work-around for the security flaw, and a patch is not yet available.

How We Protect U-M

Information Assurance is working with Windows administrators in Information and Technology Services (ITS) and Health Information and Technology Services (HITS) to ensure plans are in place to test and apply the patch as soon as it is available for ITS and HITS services running Windows. In addition, we are monitoring news about the vulnerability and will share updates should the situation change.

Information for Users

MiWorkspace machines running Windows will be patched as soon as possible. If you use Microsoft Windows on your own devices, you should set it for automatic updates so that patches like this one are installed automatically when they are released.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.