Technology, Top News

SandboxEscape drops three more Windows 10 zero-day exploits

SandboxEscape drops three more Windows 10 zero-day exploits

SandboxEscape drops three more Windows 10 zero-day exploits

THE SECURITY RESEARCHER behind the Windows 10 Task Scheduler zero-day security flaw released this week, has made good on her promise to release exploit code for four more vulnerabilities.

Three of them take advantage of zero-day security flaws, while the fourth was patched by Microsoft earlier this month. 

The researcher, known as SandboxEscaper, announced the releases on her blog where she also posted a video of REM’s ‘It’s the End of the World as we Know it (And I Feel Fine)‘ to accompany it.

She also wrote:

“Uploaded the remaining bugs.

burning bridges. I just hate this world.

ps: that last windows error reporting bug was apparently patched this month. Other 4 bugs on github are still 0days. have fun.

Bye.”

The GitHub proofs-of-concept include three Windows local privilege escalation (LPE) security flaws and a sandbox-escape vulnerability in Internet Explorer 11, although one of the LPEs was patched in Microsoft’s May Patch Tuesday. One of two aliases given for the credit – Polar Bear – indicates that SandboxEscaper forwarded details of the flaw to Microsoft.

The patched flaw, an LPE targetting the Windows Error Reporting service, CVE-2019-0863, which was given a CVSS 3.0 severity score of 7.8 (high).

The Internet Explorer 11 vuln enables attackers to inject DLLs into IE. “The third is a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw (CVE-2019-0841). The bug exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links,” according to Threatpost.

The final flaw is an ‘installer bypass’ issue with Windows Update.

“Figure out how this works for yourself. I can’t be bothered. It’s a really hard race, doubt anyone will be able to repro[duce it] anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer user interface and find another way to trigger rollback,” SandboxEscaper writes on GitHub, adding that exploitation is based on “a really small timing window”.

SandboxEscaper also indicated that she was in the market to sell flaws to “people who hate the US”, a move made in apparent response to FBI subpoenas against her Google account. µ

Further reading

Source : Inquirer

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend