THREAT HORIZON – DATA SHARING SERVICE ZERO-DAY
The following was circulated to our Managed Security Services customers on Thursday 25th October 2018.
Executive Summary: An exploit targeting the Data Sharing Service (dssvc.dll) has been discovered and announced on the 23rd October by “SandboxEscaper” via Twitter. This Service is utilised by Windows to perform data brokering between applications.
Currently, the proof of concept that has been provided demonstrates the ability to delete OS files and DLLs, which would normally require administrative permissions. Analysis of the proof of concept shows an attacker would be able to escalate their privileges to perform other administrative tasks, but this would require the appropriate modifications to the PoC.
This exploit affects Windows 10, Server 2016 and Server 2019 – and has been proven to work on fully patched machines. Earlier versions of Windows OS are unaffected, as the Data Sharing Service does not exist on those platforms.
There are currently very few other details surrounding this exploit.
Detect: This exploit affects all versions of Windows 10, Server 2016 and Server 2019.
Prevent: Currently, there has been no acknowledgement from Microsoft regarding this announcement. However, it is likely that a patch for this will be covered during November’s Security Updates.
React: As of this documentation (24th October 2018), we can only recommend that the situation surrounding this exploit is monitored – ITC will provide further updates should there be any developments.
Sources have stated that Microsoft is likely to patch the vulnerability in its next month’s security Patch Tuesday, which is scheduled for November 13, 2018.