The security researcher who goes by the name SandboxEscaper has published yet another zero-day exploit that targets Windows 10. SandboxEscaper has previously released vulnerabilities into the wild without telling Microsoft, claiming that she would never want to submit vulnerabilities to Microsoft again, presumably due to a bad past experience. She also went on to say that they “can’t wait to sell bugs in their [Microsoft’s] software.” As of writing, the @SandboxEscaper Twitter account is suspended but she does have a blog.
The new exploit is classified as a local privilege escalation (LPE) vulnerability and can be used to give a hacker elevated privileges to run harmful code on a computer by using an exploit in the Task Scheduler. Luckily, this vulnerability can not be used by hackers to break into computers in the first instance but could be combined with these types of vulnerabilities.
Along with the source code for the vulnerability, a video was also released demonstrating the zero-day vulnerability. While it has only been tested and confirmed to work on Windows 10 32-bit systems, it’s believed that a bit of modification could see it run on all versions of Windows all the way back to Windows XP and Windows Server 2003.
Presumably, Microsoft wasn’t forewarned about the bug so the company will now have to scramble in order to fix the issue. The next patch Tuesday is scheduled for mid-June, but, if it isn"t fixed in time, users could be waiting until July before their systems are secured. In the meantime, criminals could get to work with the zero-day in order to attack systems around the world.
Source: SandboxEscaper blog (NSFW language) ZDNet