A first zero-day exploit was announced for Windows 10, but the worst thing is that four additional zero-day flaws could have been announced shortly. A few hours later an exploit further sees the light, hitting IE11 in this case and leaving two further exploits in the pipeline. Everything therefore suggests that in the next few hours the release process will continue until exhaustion.
Read More Stories: Linux gets CPU frequency scaling for Raspberry Pi
The signature is that of ” SandboxEscaper “, which would sell its discoveries to oriental users for a price equal to 60 thousand dollars. In other words, there is certainly no hacker ethics behind the discovery: the goal is to scare, disrupt and monetize. Hence the absence of any signaling through official channels and, instead, the direct arrival of the first vulnerability to illustrate how serious the impact of an exploit based on the others still may be. For SandboxEscaper this is yet another action of this type, all within a few months, some of which have serious potential.
Read More Stories: Google Duplex: Machine reservation often needs human help
The first problem is related to a possible ” Local Privilege-Escalation ” attack following a vulnerability in the Windows 10 Task Scheduler. In this case the gravity is extreme because it allows to access the system with maximum privileges, therefore being able to take full device control.
Read More Stories: Huawei: the alternative to Android already in the fall?
The second exploit, brought online with a lot of demonstration video, is related to the Internet Explorer 11 browser and would be low impact since it can not be practiced remotely.
SandboxEscaper just released this video as well as the POC for a Windows 10 priv esc pic.twitter.com/IZZzVFOBZc
— Chase Dardaman (@CharlesDardaman) May 21, 2019
It is now necessary to understand how diligently Microsoft will be able to put a patch to these new problems, even considering how the June patch day is now imminent and the group rarely runs for cover, hastening the pace.