Researcher publishes PoC for new Windows zero-day

A security researcher known only under the pseudonym of SandboxEscaper has published proof-of-concept code online for a new zero-day vulnerability affecting the Microsoft Windows operating system.

Acros Security CEO Mitja Kolsek confirmed the researcher's zero-day claim and the PoC's validity to ZDNet earlier today. This marks the third time this same researcher has posted a Windows zero-day online, after doing the same thing in August and October.

Very few technical details are available about this latest zero-day at the time of writing. The only thing known is that it impacts ReadFile, the de-facto Windows OS function for reading data from files and I/O device streams. According to a summary description provided by Kolsek, the zero-day "allows a low-privileged user to read any file that can be accessed by Local System account."

Several researchers who analyzed the zero-day this is also another elevation of privilege (EoP), a vulnerability that allows a user to gain access to functions and permissions available to higher user groups.

The two previous zero-days were also EoPs. The first one allowed an attacker to exploit the Advanced Local Procedure Call (ALPC) interface to get system privileges. The second zero-day affected the Microsoft Data Sharing (dssvc.dll) service to allow attackers to delete files that normal users wouldn't be able to interact with.

After publishing this third zero-day, the researcher's GitHub account was taken down shortly after. On her blog, the researcher accused Microsoft of taking down her GitHub account.

The researcher is also in legal hot water. Last week, the US Federal Bureau of Investigation (FBI) subpoenaed Google requesting details about her account.

The reasons are unknown, but there are several theories. One might be in regards to the researcher actively advertising zero-days online, offering to sell exploits even to foreign governments, which constitutes a violation of US software export laws.

The FBI legal request may also be in regards to a possible life and death issue. SandboxEscaper is also known to suffer for mental issues, sometimes posting messages about committing suicide.

Last but not least, the FBI might be seeking information about her identity after she briefly posted a death threat against US President Donald Trump on Twitter earlier this month, which eventually got her initial Twitter account suspended.

Article updated with YouTube video.

Cybercrime and malware, 2019 predictions

More cybersecurity coverage:

• Microsoft releases security update for new IE zero-day
• Logitech app security flaw allowed keystroke injection attacks
• SQLite bug impacts thousands of apps, including all Chromium-based browsers
• New attack intercepts keystrokes via graphics libraries
• Shamoon malware destroys data at Italian oil and gas company
• Watch researchers remotely brick a server by corrupting its BMC and UEFI firmware
• RSA Conference: This time with more women CNET
• Windows 10 users should wait to install the latest update TechRepublic