Over the last few months, guerilla developer SandboxEscaper has been frustrating Microsoft. She has been publishing details of privilege escalation exploits in Windows. While disclosing vulnerabilities is not bad, SandboxEscaper has not been respecting the typical 90-day process.
If you are unfamiliar with that 90-day window, it is something most the tech companies adhere to. It is used by Google Project Zero, for example. When a bug is found in a software, the party that discovered it warns the software creator, who then has 90 days to issue a fix.
SandboxEscaper has been avoiding telling Microsoft about the flaws she has found. Instead, the company only finds out about the flaws when they are published. That leaves Microsoft scrambling to develop a fix for an exploit that is now actively in the wild.
To Microsoft’s credit, it has worked quick and yesterday issued four patches for five of the exploits SandboxEscaper has recently sent out.
|BearLPE||CVE-2019-1069||LPE exploit in the Windows Task Scheduler process|
|SandboxEscape||CVE-2019-1053||Sandbox escape for Internet Explorer 11|
|CVE-2019-0841-BYPASS||CVE-2019-1064||Bypass of the CVE-2019-0841 patch|
|InstallerBypass||CVE-2019-0973||LPE targeting the Windows Installer folder|
Microsoft confirmed it was unable to roll out the fifth fix in time for yesterday’s Patch Tuesday cumulative updates. Overall, the company patched 88 issues during Patch Tuesday, with 21 described as critical.
Publishing Zero Days
Last month, we reported on a Windows zero-day vulnerability that had been published online by security researcher SandboxEscaper. Problematically, she published the demo exploit code without notifying Microsoft first. A day later, the guerilla developer published another two zero-day exploits.
One of those vulnerabilities was called “AngryPolarBearBug2”, a problem that affects Windows Error Reporting on Microsoft’s platform. SandboxEscaper says “It can take upwards of 15 minutes for the bug to trigger,” SandboxEscaper said.
Elsewhere, the researcher describes another vulnerability that is affecting the legacy Internet Explorer 11 browser. SandboxEscaper published the code and a demo video for the zero-day.