The first zero-day that SandboxEscaper published today is a bypass for Microsoft's current patch for CVE-2019-0841.
CVE-2019-0841 is a vulnerability that allows low privileged users to hijack files that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user -- according to Nabeel Ahmed of Dimension Data Belgium, who Microsoft credited with discovering this bug in the first place.
Microsoft patched CVE-2019-0841 in the April 2019 Patch Tuesday, last month, describing it as a bug in the way Windows AppX Deployment Service (AppXSVC) improperly handles hard links.
SandboxEscaper's exploit code shows that there is still one way to exploit CVE-2019-0841, despite Microsoft's patch.
Just to be clear, this is yet another LPE (local privilege escalation) vulnerability, meaning hackers can't exploit this bug to break into systems, but they can use it to gain full access to an entire PC, even if the point of intrusion was a low-privileged account.
Zero-day targeting Windows Installer folder
The second zero-day that SandboxEscaper has published today targets the Windows Installer folder (C:\Windows\Installer).
In a GitHub file, the researcher explains that there's a short interval of time (race condition) when repairing a Windows app installation when the process can be hijacked to write files to unauthorized areas of a Windows OS.
This flaw, which abuses the msiexec /fa (Repair Installation) operation, can be used to plant malware and take over computers on which hackers had initially gained access only to a low-privileged account.
Compared to the zero-days SandboxEscaper published yesterday, deemed useless by most security researchers ZDNet spoke with, these two new vulnerabilities appear to be more useful in actual malware campaigns, although, SandboEscaper did note that the second one might be a little bit unreliable because of the short time window her zero-day has to exploit vulnerable computers.
ZDNet has notified Microsoft of these two new exploits and we'll update when we get a response.
10 super sweet laptops that come with Linux pre-installed