SandboxEscaper has released a second proof-of-concept (PoC) to bypass CVE-2019-0841, a vulnerability that Microsoft has addressed in its Patch Tuesday for April. CVE-2019-0841 resides in the way Windows AppX Deployment Service (AppXSVC) handles hard links, which a local user can exploit to obtain elevated privileges. Like the first exploit released on 24 May, the researcher demonstrated the bypass through the Edge browser to write discretionary access control list (DACL) as system privilege. The exploit is not restricted to Edge and works on other packages, even in the latest version of Windows 10 and Windows Server 2019. SandboxEscaper has released ten PoCs targeting the Windows platform since August 2018. In response, Microsoft has created a signature in Windows Defender Antivirus to detect and remove SandboxEscaper’s PoCs from Windows systems. However, this does not totally remove the threat as the PoCs can still be modified and obfuscated to evade detection. Microsoft has not indicated if the security flaws disclosed by SandboxEscaper will be addressed in its next security update scheduled to be released on 11 June.
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services