Over the last few months, guerilla developer SandboxEscaper has been frustrating Microsoft. She has been publishing details of privilege escalation exploits in Windows. While disclosing vulnerabilities is not bad, SandboxEscaper has not been respecting the typical 90-day process. If you are unfamiliar with that 90-day window, it is something most the tech companies adhere to. It is used by Google Project Zero, for example. When a bug is found in a software, the party that discovered it warns the software creator, who then has 90 days to issue a fix. SandboxEscaper has been avoiding telling Microsoft about the flaws she has found. Instead, the company only finds out about the flaws when they are published. That leaves Microsoft scrambling to develop a fix for an exploit that is now actively in the wild. To Microsoft's credit, it has worked quick and yesterday issued four patches for five of the exploits SandboxEscaper has recently sent out.
|BearLPE||CVE-2019-1069||LPE exploit in the Windows Task Scheduler process|
|SandboxEscape||CVE-2019-1053||Sandbox escape for Internet Explorer 11|
|CVE-2019-0841-BYPASS||CVE-2019-1064||Bypass of the CVE-2019-0841 patch|
|InstallerBypass||CVE-2019-0973||LPE targeting the Windows Installer folder|