Security researcher auctions off Windows 10 zero-day exploits

A depiction of a bug on a blue binary background
(Image credit: Shutterstock)

Three zero-day exploits in Microsoft services and products have been published in as many days this week by a security researcher known for uncovering and distributing Windows vulnerabilities to hacking communities.

The researcher, with the online alias of SandboxEscaper, began her 10-month siege on Microsoft's security in August 2018, uncovering three new elevated privilege bugs this week in addition to four other zero-days published last summer.

Mostly relating to local privilege escalation (LPE) exploits, SandboxEscaper has said she wants to sell the exploits to non-western buyers and "won't sell for less than 60k" for each bug, according to a post on Github.

The first exploit was released on Monday, accompanied by a video showing code exploiting a vulnerability in the Task Scheduler in Windows 10, allowing attackers to read and write files as an admin could.

The bug is exploitable on Windows 10 x86, x64 and x32 machines, as well as Windows Server 2016 and 2019. Windows 7 and 8, as of now, seem unaffected. A video proving the effectiveness can be found on the researcher's GitHub repository.

"Local privilege vulnerabilities are pretty common on Windows, and far less concerning than a remote code execution vulnerability like the RDP bug that hit the headlines recently," said Gavin Millard, VP of intelligence at Tenable, referring to the BlueKeep vulnerability, a remote execution exploit that granted hackers the highest possible privileges on Windows operating systems.

"But, due to the researcher being motivated by cash flow rather than altruism, the main concern is the exploit being available without a fix. To exploit, the attack has to have valid credentials on the target which is non-trivial on a well maintained and secure system, but with the continued popularity of a single password rather than having credentials per service, it could be leveraged in a more targeted attack."

At the time of the release, the researcher said she had three more vulnerabilities to publish: two more LPEs and a sandbox escaper. She published the remaining LPEs later on Wednesday.

The latest bugs, number 6 and 7 of the 7 total exploits found since August 2018, were found in the Windows Error Reporting service and Internet Explorer 11 (IE11) respectively.

The vulnerability in the Windows Error Reporting service bears a strong resemblance to an earlier bug of SandboxEscaper's found in December, but it less easy to exploit.

Named 'AngryPolarBearBug2', it's another LPE issue that could allow an attacker to read and write files they wouldn't normally have access to. To work, an attacker must carefully implement a DACL (discretionary access control list) operation in the Windows service, but the researcher says "it's not that much of an issue" as it takes a fairly long time to trigger, upwards fo 15 minutes to be exact.

The IE11 vulnerability is also considered a low-impact issue and the researcher only gives a brief three-line summary of the zero-day. Attackers are able to inject malicious code into the browser but it isn't remotely exploitable and can only be used to weaken the browser's security protections ahead of subsequent attacks.

"The biggest risk that I see from this vulnerability is that of insider threat," said Craig Young, principal security researcher at Tripwire. "For example, employees typically do not have administrative rights on their workstations as this might allow them to install unauthorized software or remove critical security controls.

"These users of course know their own password and so can trivially exploit this flaw. Bad practices like password reuse or falling for social engineering tactics like phishing could also allow an attacker to exploit this, but only if they have a way to get an interactive login on the system," he added.

The vulnerabilities are released shortly after the Windows 10 May 2019 update that wasn't without its own errors. The update itself was blocked for users if they had an external USB storage device or SD card connected and could also affect internal hard drives too.

"Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible," said a Microsoft spokesperson to IT Pro. "We urge finders to practice coordinated vulnerability disclosure to reduce the potential risk to customers."

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.