Yesterday, we reported on a Windows zero-day vulnerability that had been published online by security researcher SandboxEscaper. Problematically, the researcher published the demo exploit code without notifying Microsoft first. A day later, SandboxEscaper has published another two zero-day exploits.
As we added yesterday, not telling Microsoft about these vulnerabilities means no fix can be created. Microsoft will undoubtedly begin work on a fix now, but all the exploits are available in the wild.
However, it is worth noting Microsoft says the exploit that was published yesterday has been fixed through its May Patch Tuesday release. The company seems to have also spotted the problem and closed it.
This vulnerability is name “AngryPolarBearBug2”, a problem that affects Windows Error Reporting on Microsoft’s platform. SandboxEscaper says “It can take upwards of 15 minutes for the bug to trigger,” SandboxEscaper said.
Elsewhere, the researcher describes another vulnerability that is affecting the legacy Internet Explorer 11 browser. SandboxEscaper published the code and a demo video for the zero-day.
She says this vulnerability would give attackers the ability to insert malicious code into IE 11. It seems this zero-day is not exploitable from a remote location, so an attacker would need local access.
Yesterday, the research described a local privilege escalation (LPE) zero-day.
If you are unfamiliar with LPE vulnerabilities, they are a common in the latter parts of attacks. Bad actors cannot use LPE’s to access a system, but they can elevate access once a host has been compromised. For example, increasing access from low-level to admin-level.
The Windows 10 zero-day described in GitHub is located in the Windows Task Scheduler. By running a nefarious .job file, hackers can exploit the way Task Scheduler changes DACL (discretionary access control list) permissions for each individual file.