The two new zero-day vulnerabilities affect Microsoft's Windows Error Reporting service and Internet Explorer 11.
Just yesterday, while releasing a Windows 10 zero-day exploit for a local privilege escalation bug in Task Scheduler utility, SandboxEscaper claimed to have discovered four more zero-day bugs, exploits for two has now been publicly released.
AngryPolarBearBug2 Windows Bug
One of the latest Microsoft zero-day vulnerabilities resides in the Windows Error Reporting service that can be exploited using a discretionary access control list (DACL) operation—a mechanism that identifies users and groups that are assigned or denied access permissions to a securable object.
Upon successful exploitation, an attacker can delete or edit any Windows file, including system executables, which otherwise only a privileged user can do.
Dubbed AngryPolarBearBug2 by the hacker, the vulnerability is a successor to a previous Windows Error Reporting service vulnerability she found late last year, which was named AngryPolarBearBug and allowed a local, unprivileged attacker to overwrite any chosen file on the system.
However, as SandboxEscaper says, this vulnerability is not very easy to exploit, and it "can take upwards of 15 minutes for the bug to trigger."
"I guess a more determined attacker might be able to make it more reliable," the hacker said. "It is just an insanely small window in which we can win our race; I wasn't even sure if I could ever exploit it at all."
Internet Explorer 11 Sandbox Bypass
The second Microsoft zero-day vulnerability revealed today by SandboxEscaper affects Microsoft's web browser, Internet Explorer 11 (IE11).
Though the exploit note doesn't contain any detail about this flaw, a video demonstration released by the hacker shows the vulnerability exists due to an error when the vulnerable browser handles a maliciously crafted DLL file.
This would eventually allow an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions.
Though all three unpatched zero-day vulnerabilities SandboxEscaper released within last 24-hours are not critical, user can expect security updates from Microsoft on 11 June, the company's next month patch Tuesday.
SandboxEscaper has a history of releasing fully functional zero-day vulnerabilities in Windows operating system. Last August, she debuted another Windows Task Scheduler vulnerability on Twitter, which hackers quickly started exploiting in the wild in a spy campaign after disclosure.
Later in October, 2018, the hacker released an exploit for a then zero-day vulnerability in Microsoft's Data Sharing Service (dssvc.dll), which she dubbed "Deletebug." In December, 2018, she released two more zero-day vulnerabilities in Windows operating system.
You can expect two more Microsoft zero-day vulnerabilities from SandboxEscaper in the coming days, as she promised to release them.
Important Update — Two More 0-Day Exploited Published
Gal De Leon, Principal security researcher at Palo Alto Networks, in a Tweet revealed that the AngryPolarBearBug2 bug is not a zero day; instead, it has already been patched, identified as CVE-2019-0863, by Microsoft in May 2019 Patch Tuesday security updates.
However, SandboxEscaper has just released PoC exploits for two more new unpatched zero-day vulnerabilities in Microsoft Windows, making the zero-day disclosure to a total of 4 in the past 24 hours.
Out of 4, a new exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. pic.twitter.com/kgFhl8uBQy— The Hacker News (@TheHackersNews) May 23, 2019
The first exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.
Another repository on GitHub has been labeled as a new "Installer Bypass" issue by SandboxEscaper.
Though the hacker has released video demonstration for both new flaws as well, security researchers have yet to confirm the claims.