Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday May 23 2019, @10:41PM   Printer-friendly
from the clever-names dept.

SandboxEscaper Drops Three More Windows Exploits, IE Zero-Day:

On the heels of releasing a Windows zero-day exploit on Wednesday, developer SandboxEscaper has dropped exploit code for four more flaws on Thursday morning.

On Wednesday, she dropped a Windows zero-day exploit that would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility – and she promised four more unpatched bugs while she was at it.

SandboxEscaper held true to that promise, on Thursday releasing on GitHub the proof-of-concepts (PoCs) for another three Windows LPE flaws, and a sandbox-escape zero-day vulnerability impacting Internet Explorer 11. One of them however turns out to already be patched.

The exploits:

[...] a Windows Error Reporting (WER) bug (CVE-2019-0863), was actually patched earlier this month in Microsoft's May Patch Tuesday fixes

[...] zero-day impacting Internet Explorer 11, which could enable bad actors to inject a dynamic link library (DLL) into Internet Explorer."

[...] a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw (CVE-2019-0841)."

[...] A final flaw is an "installer bypass" issue in Windows update

Not just one's own personal machines need to be considered; it's all the other Windows-based systems that we interact with, too. Might be best to hold off on non-essential transactions for a while?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday May 24 2019, @06:55PM

    by Anonymous Coward on Friday May 24 2019, @06:55PM (#847287)

    Chrome is reflective, not opaque