A security researcher who goes by online handle SandboxEscaper has released exploit code for three unpatched Microsoft zero-day vulnerabilities over the past two days.
The proof-of-concept (PoC) exploit code for two zero-day vulnerabilities affecting the Windows Error Reporting service and Internet Explorer 11 was released today.
The third one is a local privilege escalation bug in Task Scheduler utility which was disclosed by the researcher yesterday.
AngryPolarBearBug2 Windows Zero-Day
The first zero-day is a vulnerability in the Windows Error Reporting service which can be exploited using DACL (discretionary access control list) operation.
The vulnerability dubbed as AngryPolarBearBug2, once exploited allows the attacker to access or delete any files including files only privileged users can access.
The researcher also mentioned that the vulnerability is not easy to exploit. “It can take upwards of 15 minutes for the bug to trigger.”
According to Microsoft, they have already addressed this zero-day vulnerability in the May 2019 Patch Tuesday, as CVE-2019-0863.
Internet Explorer 11 Zero-Day
The second zero-day PoC exploit code released by SandboxEscaper impacts Internet Explorer 11.
The researcher did not publish more technical details about this flaw other than a demo video and three line summary.
The vulnerability could allow attackers to inject malicious code into Internet Explorer.
Windows Task Scheduler Process Zero-Day
The third zero-day is a local privilege escalation issue in the Windows Task Scheduler process affecting the Windows 10 operating system.
The vulnerability allows local attackers to run code with administrative privileges and gain full control over the targeted machine.
The demo video of the proof-of-concept exploit code is shown below:
This is the seventh zero-day flaw disclosed by researcher impacting Windows products in the past ten months and also promised to disclose two more Microsoft zero-day vulnerabilities in coming days.
You may be interested in reading: WhatsApp Critical Flaw Allowed Installation of Spyware on to Phones