Researchers at Acros Security have issued three micropatches for zero-day exploits in Windows. At the time of writing, these bugs are yet to be remedied by Microsoft, despite their publication last month.
Two of the bugs come from a controversial user known as SandboxEscaper, who published them on Microsoft’s GitHub with little prior warning. One, known as AngryPolarBear, allows an attacker to overwrite any file on the system via a local unprivileged process.
SandboxEscaper’s second bug, the ‘readfile’, is a little more complex:
“This one allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file, even if permissions on such file don’t allow it read access,” explains Mitja Kolsek of Acros Security’s 0patch team. “The proof-of-concept demonstrates reading the content of another user’s desktop.ini file from user’s desktop, but the author suggests reading Office history files (and other index or history files with known paths) could reveal further paths to interesting files belonging to other users.”
SandboxEscaper became known to many with the publication of her Task Scheduler Flaw. At the time, the user noted her frustrating with Microsoft’s bug bounty process, a sentiment that has been echoed by others.
Arbitrary Code Execution
Naturally, it’s a dangerous practice that could seriously impact the security of innocent users. For the third bug, that’s not the case, this time published by ZDI researcher John Page. Page gave Microsoft a customary 90 days to solve the issue but was told it would not be issuing a fix.
ZDI published the vulnerability as a result. It lets attackers execute arbitrary code on vulnerable Windows installs after a user opens a malicious page or file. The flaw exists in the processing of VCard files.
It’s not a good look when another company has to patch Microsoft’s bugs, but the tech giant hasn’t had much warning on some. For now, the only option is to install the 0patch agent.