7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.869 High
EPSS
Percentile
98.3%
Less than 24 hours after publicly disclosing an unpatched zero-day vulnerability in Windows 10, the anonymous hacker going by online alias โSandboxEscaperโ has now dropped new exploits for two more unpatched Microsoft zero-day vulnerabilities.
The two new zero-day vulnerabilities affect Microsoftโs Windows Error Reporting service and Internet Explorer 11.
Just yesterday, while releasing a Windows 10 zero-day exploit for a local privilege escalation bug in Task Scheduler utility, SandboxEscaper claimed to have discovered four more zero-day bugs, exploits for two has now been publicly released.
One of the latest Microsoft zero-day vulnerabilities resides in the Windows Error Reporting service that can be exploited using a discretionary access control list (DACL) operationโa mechanism that identifies users and groups that are assigned or denied access permissions to a securable object.
Upon successful exploitation, an attacker can delete or edit any Windows file, including system executables, which otherwise only a privileged user can do.
Dubbed AngryPolarBearBug2 by the hacker, the vulnerability is a successor to a previous Windows Error Reporting service vulnerability she found late last year, which was named AngryPolarBearBug and allowed a local, unprivileged attacker to overwrite any chosen file on the system.
However, as SandboxEscaper says, this vulnerability is not very easy to exploit, and it โcan take upwards of 15 minutes for the bug to trigger.โ
โI guess a more determined attacker might be able to make it more reliable,โ the hacker said. โIt is just an insanely small window in which we can win our race; I wasnโt even sure if I could ever exploit it at all.โ
The second Microsoft zero-day vulnerability revealed today by SandboxEscaper affects Microsoftโs web browser, Internet Explorer 11 (IE11).
Though the exploit note doesnโt contain any detail about this flaw, a video demonstration released by the hacker shows the vulnerability exists due to an error when the vulnerable browser handles a maliciously crafted DLL file.
This would eventually allow an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions.
Though all three unpatched zero-day vulnerabilities SandboxEscaper released within last 24-hours are not critical, user can expect security updates from Microsoft on 11 June, the companyโs next month patch Tuesday.
SandboxEscaper has a history of releasing fully functional zero-day vulnerabilities in Windows operating system. Last August, she debuted another Windows Task Scheduler vulnerability on Twitter, which hackers quickly started exploiting in the wild in a spy campaign after disclosure.
Later in October, 2018, the hacker released an exploit for a then zero-day vulnerability in Microsoftโs Data Sharing Service (dssvc.dll), which she dubbed โDeletebug.โ In December, 2018, she released two more zero-day vulnerabilities in Windows operating system.
You can expect two more Microsoft zero-day vulnerabilities from SandboxEscaper in the coming days, as she promised to release them.
Gal De Leon, Principal security researcher at Palo Alto Networks, in a Tweet revealed that the AngryPolarBearBug2 bug is not a zero day; instead, it has already been patched, identified as CVE-2019-0863, by Microsoft in May 2019 Patch Tuesday security updates.
However, SandboxEscaper has just released PoC exploits for two more new unpatched zero-day vulnerabilities in Microsoft Windows, making the zero-day disclosure to a total of 4 in the past 24 hours.
> Out of 4, a new exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. pic.twitter.com/kgFhl8uBQy
>
> โ The Hacker News (@TheHackersNews) May 23, 2019
The first exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.
Another repository on GitHub has been labeled as a new โInstaller Bypassโ issue by SandboxEscaper.
Though the hacker has released video demonstration for both new flaws as well, security researchers have yet to confirm the claims.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.869 High
EPSS
Percentile
98.3%