Micropatches Released for Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)

 

November 2024 Windows updates brought a fix for CVE-2024-49039, a local privilege escalation issue allowing low-integrity code running on the computer to execute arbitrary medium-integrity code as the same user. This can be useful for escaping low-integrity sandboxes such as those in modern web browsers (such as Mozilla Firefox) and document readers.

In short: if you are malicious code executed with low integrity, you create a scheduled task to be executed as you, then Task Scheduler executes this task with default (medium) integrity. Sandbox escaped.

The vulnerability was reported to Microsoft by the Mozilla Security Team, and by Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group.

Subsequently, security researcher je5442804 published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue with new flags on the Task Scheduler RPC interface which prevents a low-integrity process from accessing it.

 

Our Micropatch

We decided to rather patch the TaskSchedulerCreateSchedule function, which is used to create the scheduled task. There, we check the requesting process's integrity before creating the task and deny the creation if the process has low integrity.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated

The vulnerability was first introduced with Windows 10, therefore it does not exist on Windows 7, Windows Server 2008 and Windows Server 2012  (so no patches were needed there).

 Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank je5442804 for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.