Re: So classic way to find an exploit.
"I wonder if the code to check was in a dev version but some PHB decreed 'Nah, that slugs performance, and it'll never be a problem IRL'"
more like "I don't want to do extra work to check for this" by some lazy overpaid millenial "child" since (it appears that) nearly all senior devs and QA people have left Micro-shaft over the last decade or so... maybe taking their stock options, or getting out while the getting's good, or being hit by a round of lay-offs that target the senior people because they earn more... [this has been somewhat confirmed by NYT and Forbes and other news sources, showing how average age at tech companies is much lower than you'd normally expect]
I surfed around a bit, which led me to the github site where the sample was posted, but it was deleted 3 days ago. Did a little commit history digging and managed to download the (otherwise deleted) RAR file containing source and binaries, a docx file [that I did not open], and an mp4 video. I just followed links from the article and applied some web-common-sense and voila!
a comment from the source says the following (for what it's worth):
"_SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write."