Delaware, USA – May 22, 2019 – While we are all preparing to oppose attacks that exploit CVE-2019-0708 vulnerability, infamous exploit developer SandboxEscaper publishes her new findings on GitHub. A new exploit for the Task Scheduler vulnerability allows elevating privileges of a limited user account up to admin access. The available code can be used against Windows 10 32-bit systems, but it can be modified for use in attacks on any systems running Windows including outdated XP and Windows Server 2003. Despite the fact that local privilege escalation vulnerabilities do not allow to directly infect systems, their use in combination with other vulnerabilities and social engineering poses a serious threat to organizations. One of the first Windows 10 exploits of SandboxEscaper was modified and weaponized within a few days after publication by adversaries, including the PowerPool espionage group. Exploit developer also announced four more zero-days for Windows and proposed them for sale to non-western buyers.
It is noteworthy that this zero-day vulnerability became known a week after Microsoft Patch Tuesday, and in a few days after the first working exploits for BlueKeep began to appear. Microsoft typically releases security updates fixing SandboxEscaper findings in a month or two, but temporary fixes from security researchers appear much earlier. To closely monitor MS Windows and Active Directory security events, you can use free SIEM content available in Threat Detection Marketplace: https://my.socprime.com/en/integrations/windows-security-monitor-arcsight