Delaware, USA – October 24, 2018 — A security researcher hiding under the SandboxEscaper nickname published on GitHub a proof-of-concept exploit for the second zero-day vulnerability he discovered and reported this via the Twitter account. A new exploit enables privilege escalation in Microsoft Data Sharing (dssvc.dll) and allows an attacker to delete critical system files. This vulnerability will facilitate the use of DLL highjacking techniques, allowing adversaries to delete legitimate Windows libraries, and it can also be used during destructive cyber attacks to divert attention or to cover up tracks of an operation. SandboxEscaper’s exploit was successfully tested on fully patched Windows 10+ systems, earlier versions of the operating system are not affected by this vulnerability.
The previous exploit for the zero-day vulnerability in the Microsoft Windows task scheduler was published in late August, and it allowed running malware on the attacked system with administrator privileges. The patch for it was released only in two weeks, and several hacker groups used the exploit in Cyberespionage and Ransomware campaigns. It is almost three weeks until the next Microsoft Windows Patch Tuesday, and specialists from ACROS Security released a temporary solution for Windows 10 1803, and now they are working on solutions for other vulnerable versions of Windows. To detect possible Data Sharing Service exploit usage with your security solutions, you can download new rules from Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/1339