Two more Microsoft zero-days uploaded on GitHub

SandboxEscaper has now published seven zero-days in Microsoft products; two more to come.

fragmentsmack-windows.png

A security researcher going online by the pseudonym of SandboxEscaper has published today demo exploit code for two more Microsoft zero-days after releasing a similar fully-working exploit the day before.

These two mark the sixth and seventh zero-days impacting Microsoft products this security researcher has published in the past ten months, with the first four being released last year, and three over the past two days.

Windows Error Reporting zero-day

The first of the two new zero-days is a vulnerability in the Windows Error Reporting service that SandboxEscaper said it can be exploited via a carefully placed DACL (discretionary access control list) operation.

The researcher named this bug "AngryPolarBearBug2" after a similar zero-day she discovered in the same Windows Error Reporting service last December, and named "AngryPolarBearBug."

The good news is that this zero-day is not as easy to exploit as the last. "It can take upwards of 15 minutes for the bug to trigger," SandboxEscaper said.

Once exploited, the zero-day should grant an attacker access to edit files they normally couldn't. In other words, it's a local privilege escalation issue, but as SandboxEscaper puts it: "not that much of an issue."

[UPDATE on May 23: Microsoft has told ZDNet that the demo code published yesterday is for a security bug that had been patched a week before with the release of the May 2019 Patch Tuesday, as CVE-2019-0863.

CVE-2019-0863 was a zero-day at the time it was patched, meaning it was actively being exploited in the wild. SandboxEscaper was credited for reporting this issue to Microsoft under the name of PolarBear. It now appears that the researcher published yesterday the demo code for CVE-2019-0863, which she previously privately reported to Microsoft.]

IE11 zero-day

The second of the Microsoft zero-days that SandboxEscaper published today is one impacting Internet Explorer 11.

Besides the exploit's source code and a short demo video, only a three-line summary is available for this zero-day.

Per SandboxEscaper, this vulnerability should allow attackers to inject malicious code in Internet Explorer. According to a security researcher who reviewed the exploit for ZDNet, this zero-day is not remotely exploitable, but can only be used to neuter security protections in IE for subsequent attacks, and should be considered a low-impact issue.

Today's releases come after yesterday, the researcher published proof-of-concept code for another Windows zero-day, a local privilege escalation in the Windows Task Scheduler process.

SandboxEscaper's list of 2018 zero-days include:

- LPE in Advanced Local Procedure Call (ALPC)
- LPE in Microsoft Data Sharing (dssvc.dll)
- LPE in ReadFile
- LPE in the Windows Error Reporting (WER) system

On her personal blog, the researcher promised to release two more zero-days impacting Microsoft products in the coming days.

More vulnerability reports: