Level 22
Less than 24 hours after publicly disclosing an unpatched zero-day vulnerability in Windows 10, the anonymous hacker going by online alias "SandboxEscaper" has now dropped new exploits for two more unpatched Microsoft zero-day vulnerabilities.

The two new zero-day vulnerabilities affect Microsoft's Windows Error Reporting service and Internet Explorer 11.

Just yesterday, while releasing a Windows 10 zero-day exploit for a local privilege escalation bug in Task Scheduler utility, SandboxEscaper claimed to have discovered four more zero-day bugs, exploits for two has now been publicly released.
AngryPolarBearBug2 Windows Bug
One of the latest Microsoft zero-day vulnerabilities resides in the Windows Error Reporting service that can be exploited using a discretionary access control list (DACL) operation—a mechanism that identifies users and groups that are assigned or denied access permissions to a securable object.

Upon successful exploitation, an attacker can delete or edit any Windows file, including system executables, which otherwise only a privileged user can do.

Dubbed AngryPolarBearBug2 by the hacker, the vulnerability is a successor to a previous Windows Error Reporting service vulnerability she found late last year, which was named AngryPolarBearBug and allowed a local, unprivileged attacker to overwrite any chosen file on the system.

However, as SandboxEscaper says, this vulnerability is not very easy to exploit, and it "can take upwards of 15 minutes for the bug to trigger."

"I guess a more determined attacker might be able to make it more reliable," the hacker said. "It is just an insanely small window in which we can win our race; I wasn't even sure if I could ever exploit it at all."
Internet Explorer 11 Sandbox Bypass
The second Microsoft zero-day vulnerability revealed today by SandboxEscaper affects Microsoft's web browser, Internet Explorer 11 (IE11).
Though the exploit note doesn't contain any detail about this flaw, a video demonstration released by the hacker shows the vulnerability exists due to an error when the vulnerable browser handles a maliciously crafted DLL file.

This would eventually allow an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions.

Though all three unpatched zero-day vulnerabilities SandboxEscaper released within last 24-hours are not critical, user can expect security updates from Microsoft on 11 June, the company's next month patch Tuesday.

SandboxEscaper has a history of releasing fully functional zero-day vulnerabilities in Windows operating system. Last August, she debuted another Windows Task Scheduler vulnerability on Twitter, which hackers quickly started exploiting in the wild in a spy campaign after disclosure.

Later in October, 2018, the hacker released an exploit for a then zero-day vulnerability in Microsoft's Data Sharing Service (dssvc.dll), which she dubbed "Deletebug." In December, 2018, she released two more zero-day vulnerabilitiesin Windows operating system.

You can expect two more Microsoft zero-day vulnerabilities from SandboxEscaper in the coming days, as she promised to release them.
Two More 0-day exploited published
Gal De Leon, Principal security researcher at Palo Alto Networks, in a Tweetrevealed that the AngryPolarBearBug2 bug is not a zero day; instead, it has already been patched, identified as CVE-2019-0863, by Microsoft in May 2019 Patch Tuesday security updates.

However, SandboxEscaper has just released PoC exploits for two more new unpatched zero-day vulnerabilities in Microsoft Windows, making the zero-day disclosure to a total of 4 in the past 24 hours.

Out of 4, a new exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.
— The Hacker News (@TheHackersNews) May 23, 2019

The first exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

Another repository on GitHub has been labeled as a new "Installer Bypass" issue by SandboxEscaper.

Though the hacker has released video demonstration for both new flaws as well, security researchers have yet to confirm the claims.

Andy Ful

Level 48
Content Creator
Not immediately they don't have the infrastructure for immediate updates like LivePatch for example, it's whenever the PC checks for updates, downloads it and prompts the user to install it which requires restarting. And the user will postpone it, lol.
You can forget about those vulnerabilities and probably about most publicly unknown, yet. The first will be quickly patched by M$, the second will hit mostly organizations until they will be known & patched.
I do not say, that you cannot be infected in this way. But, there are so many vulnerabilities in popular Windows software which are unpatched for a year or more. They are known to malc0ders, too. (y)

I assume that you are not an Administrator in the Enterprise.:giggle:


Level 23
Content Creator
Disable Task Scheduler and you disable like half of the current and future vulnerabilities (UAC bypasses as well), plus some performance gain. :unsure:
  • Like
Reactions: Felipe Oliveira