A specialist in IT security audit services known under the pseudonym of SandboxEscaper has just revealed new zero-day vulnerabilities in Windows; this is the third consecutive day that the investigator reveals the discovery of new flaws in the operating system.
The investigator published in her GitHub account the code of a proof of concept for two zero-day vulnerabilities, plus a step-by-step explanation for using these exploits. The investigator has found eight zero-day vulnerabilities in the last ten months.
It is worth noting that SandboxEscaper has reported zero day flaws in the last three days, which she also published on her GitHub profile. According to IT security audit services specialists, the vulnerabilities reported are:
- A local privilege escalation vulnerability in the Windows Task Scheduler
- Escape from the sandbox for Internet Explorer
- A privilege escalation flaw in the Windows Error Reporting Service (Microsoft patched this vulnerability shortly before the investigator published her exploitation code)
As for her most recent findings, the first vulnerability is a method to bypass the security patch that the company launched for the CVE-2019-0841 flaw. This vulnerability allows users with reduced privileges to hijack higher privilege files, overwriting permissions on the targeted file.
The second reported vulnerability is targeted against the Windows Installer folder. SandboxEscaper explains that there is a very short period of time in which it is possible to hijack the repair process of Windows applications to inject files into unauthorized areas of the operating system. The vulnerability abuses the MSIEXEC/FA operation to inject malware and control the computers that hackers have previously accessed through a low-privilege account.
According to IT security audit services specialists from the International Institute of Cyber Security (IICS), these two vulnerabilities could generate serious problems for Windows system administrators, unlike the flaws previously published by SandboxEscaper, whose exploitation was considered as unlikely or highly complex. However, the IT security audit services specialist points out that the exploitation of the second vulnerability reported yesterday is also unlikely, because the window of time to exploit the vulnerable process is really reduced.