SandboxEscaper, the developer who has published several Microsoft related vulnerabilities recently, is back. This time, she has released a way to workaround Redmond’s recent CVE-2019-0841 Windows Patch.

In a report, ThreatPost says SandboxEscaper published the exploit for a patch Microsoft issued to fix a Windows local privilege-escalation (LPE) vulnerability. As we have mentioned before, the developer is shining a light on problems in Microsoft’s services. The problem is, SandboxEscaper is not telling the company about these problems.

The latest workaround is an exploit called “ByeBear”, which allows bad actors to bypass Microsoft’s own patches. CVE-2019-0841 required a fix from the company because Windows AppX Deployment Service (AppXSVC) was dealing with hard links poorly.

By leveraging this exploit, attackers can gain elevated access to a machine and install malicious content, see data, or change and delete files. Microsoft explained the vulnerability in April:

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”


SandboxEscaper has shown the patch can be bypassed but has once again failed to adhere to accepted disclosure practices. In the notes for the exploit on GitHub, the developer explains she was worked on exploiting the Microsoft Edge browser. She says the exploit can be implemented by deleting files and folders within:

“c:\\users\\%username%\\appdata\\local\\packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\” and then launching Edge twice.

“When we launch [Edge] a second time, it will write the DACL [discretionary access control list] while impersonating ‘SYSTEM,’” she says. “The trick here is to launch Edge by clicking it on the taskbar or desktop, using ‘start microsoft-edge:’ seems to result in correct impersonation.”

“This will be triggered with other packages too,” SandboxEscaper adds. “So you can definitely figure out a way to trigger this bug silently without having Edge pop up. Or you could probably minimize Edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching Edge once, but sometimes you may have to wait a little.”

Disclosure History

Last month, we reported on a Windows zero-day vulnerability that had been published online by security researcher SandboxEscaper. Problematically, she published the demo exploit code without notifying Microsoft first. A day later, the guerilla developer published another two zero-day exploits.

One of those vulnerabilities was called “AngryPolarBearBug2”, a problem that affects Windows Error Reporting on Microsoft’s platform. SandboxEscaper says “It can take upwards of 15 minutes for the bug to trigger,” SandboxEscaper said.

Elsewhere, the researcher describes another vulnerability that is affecting the legacy Internet Explorer 11 browser. SandboxEscaper published the code and a demo video for the zero-day.