CATEGORIES
home News

Another Windows 10 Zero-Day Exploit Code Released By Spurned Security Researcher

by Brandon HillWednesday, May 22, 2019, 11:55 AM EDT

SandboxEscaper is at it again, releasing another zero-day exploit into the wild without giving Microsoft a heads up before publication. If you recall, SandboxEscaper doesn't think too highly Microsoft and has published other zero-day vulnerabilities affecting the company's software dating back to the summer of 2018.

Windows Key

The latest exploit leverages local privilege escalation (LPE) to compromise the Windows 10 task scheduler. If you recall, SandboxEscaper used a similar method to exploit the task scheduler back in August. According to the description of the vulnerability posted to GitHub, a malicious .job file targeting the task scheduler is the springboard for this latest attack.

We should mention that this attack alone will not give an attacker direct access to your system. However, they could use another exploit to first gain access, then piggyback this latest task scheduler vulnerability to escalate privileges until they are finally able to gain administrator access.

As we previously mentioned, SandboxEscaper has a serious axe to grind with Microsoft and has posted inflammatory commentary on her blog about the company. She is even seeking to get paid for her LPEs, writing, "If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won't sell for less [than] 60k for an LPE... I don't owe society a single thing. Just want to get rich and give you f**ktards in the west the middlefinger."

Well, we at least know what her motivations are. With that being said, you can see a video the exploit in action in the Twitter embed below:

Currently, the task schedule LPE vulnerability is only applicable to Windows 10 (32-bit) systems. However, ZDNet warns that all versions of Windows dating back to the positively ancient Windows XP could possibly be affected. Since Microsoft wasn't given a heads up on SandboxEscaper disclosure, the earliest possible fix won't be delivered until next month's Patch Tuesday (June 11th).

Tags:  Microsoft, Zero-Day, Windows 10, (nasdaq:msft), sandboxescaper
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment