Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day

An unofficial patch has been released for a recently disclosed zero-day vulnerability in Windows 10’s Task Scheduler. 

An unofficial patch has been released for a recently disclosed zero-day vulnerability in Windows 10’s Task Scheduler. 

An exploit for the vulnerability was posted online a couple of weeks ago by a security researcher who is using the online handle of SandboxEscaper and who has a history of revealing unpatched bugs in Microsoft’s operating system

The issue is related to discretionary access control lists (DACL) and the Task Scheduler and was confirmed to work on fully patched Windows 10 systems, including 64-bit architectures.

An attacker could exploit the flaw locally to escalate privileges to System level. Essentially, the vulnerability allows the attacker to change permissions for any file by using schtasks to import a .job file into the Task Scheduler. 

The vulnerability, however, could only be triggered using legacy schtasks.exe, which can be easily imported from Windows XP. 

“We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing,” CERT/CC’s Will Dormann explains in a vulnerability note.

The published proof-of-concept code was designed to change the permissions on the pci.sys file by modifying its ownership. Normally owned by TrustedInstaller, the exploit allows the attacker to freely modify the file. 

Advertisement. Scroll to continue reading.

While analyzing the manner in which the exploit works, 0patch’s security researchers discovered that only legacy schtasks.exe can be abused to escalate privileges, as the modern Task Scheduler would require the user setting the task to modify a file to have write permissions to that file. 

In case of the old schtasks.exe, the process, which runs with attacker privileges, “calls RPC endpoint taskcomp!SASetAccountInformation in Task Scheduler’s process svchost.exe (running as Local System), which in turn calls RPC endpoint schedsvc!_SchRpcSetSecurity in the same svchost.exe (still running as Local System),” the researchers explain. 

Thus, since taskcomp.dll has Local System privileges and impersonates self, the last call is made with the same System privileges, which allows for the setting of DACL and ownership on any file.

To address the issue, the 0patch team “decided to replace self-impersonation with client-impersonation, and to do that, we removed the call to ImpersonateSalfWithPrivilege and injected a call to RpcImpersonateClient in its place.”

However, the exploit still worked, because another RPC call was made to SchRpcSetSecurity in taskcomp.dll in the event the first one was unsuccessful. Thus, the team decided to remove the call to SetSecurity entirely. 

“After that, we got the desired behavior: The legacy schtasks.exe was behaving correctly when creating a new task from a job file, and […] the hard link trick no longer worked because the Task Scheduler process correctly identified the caller and determined that it doesn’t have sufficient permissions to change DACL or ownership on a system file,” 0patch’s Simon Raner and Mitja Kolsek explain. 

The 0patch security researchers have released a micropatch to address the vulnerability on all Windows 10 systems running the 0patch Agent. The patch does not modify schedsvc.dll, meaning that the functionality of the new, non-legacy Task Scheduler is not affected at all. 

Contacted by SecurityWeek for comment on the vulnerability, Microsoft said that it is committed to deliver updates to impacted devices as soon as possible. What remains to be seen is whether an official fix will be included in next week’s set of security updates. 

Related: Researcher Drops Windows 10 Zero-Day Exploit

Related: Exploit Published for Windows Task Scheduler Zero-Day 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.