Microsoft Windows Task Scheduler Vulnerability


This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).

It applies to BD products in scope in addition to products that are and are not actively supported by BD that run Microsoft Windows Operating Systems. BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD’s culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risk, even those caused by third-party software and/or operating systems.


BD is aware of a Microsoft Windows vulnerability in the task scheduler, which could allow malicious attackers to gain elevated system privileges, if compromised. This vulnerability identified a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface. It has been observed targeting fully patched Microsoft Windows 10 64-bit and Windows Server 2016 operating systems. This is not a BD-specific vulnerability, and there have been no reports of a BD product being affected by this vulnerability.

--------- Begin Update B: January 24, 2019 ---------


Products in Scope

BD has provided a list of BD products in scope that use Microsoft Windows operating systems that are potentially vulnerable to this vulnerability.

Mitigations & Compensating Controls

BD will implement vendor patches, where maintained by BD, in the next BD's routine patch deployment process for products in scope. If you have a BD product in scope where BD maintains and administers patching administration, there is no customer action needed.

For customers that maintain patching management independent of BD updates, BD recommends implementing multiple layers of security controls in order to reduce risk associated with this vulnerability:

  • Ensure the vendor’s patches have been implemented as per local patch management policy
  • Ensure appropriate security controls are in place:
    • Limit and monitor network share permissions
    • Limit and monitor privileged accounts use
    • Limit and monitor outbound network activity
    • Application whitelisting technologies
    • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available
    • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

--------- End Update B: January 24, 2019 ---------

For product or site-specific concerns, contact your BD service representative.

Additional Resources

UCS-CERT: Vulnerability Note VU#906424

Last BD Publication Update: 01/24/2019
Original BD Publication Date: 08/31/2018