Delaware, USA – December 21, 2018 – New exploit allows reading data from specific locations with system level access. SandboxEscaper publishes the third exploit in the last few months, previous exploits were quickly weaponized by cybercriminals and actively used even after Microsoft released security updates. The first exploit led to a local privilege escalation enabling adversaries to run malware or execute malicious code. The second one allowed an attacker to delete critical system files. Both exploits were published on GitHub, this time SandboxEscaper published links to online cloud storage since her GitHub repository has been disabled. Mitja Kolsek, the founder of the 0patch platform, checked the PoC and promised to release a micropatch in the near future to protect against this exploit.
Earlier this week, Microsoft released an unplanned security update to close another zero-day vulnerability (CVE-2018-8653) in the browser’s scripting engine. Exploiting CVE-2018-8653 allows adversaries to remotely execute code if they successfully lure a user to a malicious site or forcing him to open the specially crafted file with an application that uses a vulnerable scripting engine. For this vulnerability, there is no publicly available PoC exploit, but according to information from Microsoft, it is actively exploited in the wild.
For the past four months, Microsoft closes at least one zero-day vulnerability during every Patch Tuesday. Windows systems are constantly at risk and require constant monitoring. You can use Sysmon Framework for ArcSight to detect anomalies and suspicious events on Windows hosts, as well as gather hashes from every running executable: https://my.socprime.com/en/integrations/sysmon-framework-hpe-arcsight