Microsoft is preparing to issue a patch for a zero-day Windows exploit after it was first disclosed by a security researcher on Twitter.
The bug, which has been verified by the US government’s Computer Emergency Readiness Team, affects Windows 10 and Windows Server 2016 task scheduler and could give hackers privileged system access to a target’s computer – if they can convince them to download malicious applications.
A Microsoft spokesperson suggested the company would not be issuing a standalone patch, but would release a fix in the next patch Tuesday.
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” the statement read. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”
Mitigating the vulnerability
Allan Liksa, a security solutions architect at Recorded Future, said that while there was no patch for the vulnerability, “one possible mitigation is to prevent untrusted (usually guest) users from running code”.
But he added that it was not a bullet proof fix. “If an attacker gains access with user level privilege (e.g. through a browser remote code execution exploit) this mitigation will not work,” Liska added. “The best bet until Microsoft releases a patch is to monitor for suspicious activity from Task Scheduler.”