Weekly Comments

4 - 11 June 2019

SandboxEscaper has released a second proof-of-concept (PoC) to bypass CVE-2019-0841, a vulnerability that Microsoft has addressed

SandboxEscaper has released a second proof-of-concept (PoC) to bypass CVE-2019-0841, a vulnerability that Microsoft has addressed in its Patch Tuesday for April. CVE-2019-0841 resides in the way Windows AppX Deployment Service (AppXSVC) handles hard links, which a local user can exploit to obtain elevated privileges. Like the first exploit released on 24 May, the researcher demonstrated the bypass through the Edge browser to write discretionary access control list (DACL) as system privilege. The exploit is not restricted to Edge and works on other packages, even in the latest version of Windows 10 and Windows Server 2019. SandboxEscaper has released ten PoCs targeting the Windows platform since August 2018. In response, Microsoft has created a signature in Windows Defender Antivirus to detect and remove SandboxEscaper’s PoCs from Windows systems. However, this does not totally remove the threat as the PoCs can still be modified and obfuscated to evade detection. Microsoft has not indicated if the security flaws disclosed by SandboxEscaper will be addressed in its next security update scheduled to be released on 11 June.

 

 

References:

Windows 10 zero-day details published on GitHub

Behavior:Win32/ByeBear.A

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Solutioning

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence