SandboxEscaper is at it again, releasing another zero-day exploit into the wild without giving Microsoft a heads up before publication. If you recall, SandboxEscaper doesn't think too highly Microsoft and has published other zero-day vulnerabilities affecting the company's software dating back to the summer of 2018.
The latest exploit leverages local privilege escalation (LPE) to compromise the Windows 10 task scheduler. If you recall, SandboxEscaper used a similar method to exploit the task scheduler back in August. According to the description of the vulnerability posted to GitHub, a malicious .job file targeting the task scheduler is the springboard for this latest attack.
We should mention that this attack alone will not give an attacker direct access to your system. However, they could use another exploit to first gain access, then piggyback this latest task scheduler vulnerability to escalate privileges until they are finally able to gain administrator access.
As we previously mentioned, SandboxEscaper has a serious axe to grind with Microsoft and has posted inflammatory commentary on her blog about the company. She is even seeking to get paid for her LPEs, writing, "If any non-western people want to buy LPEs, let me know. (Windows LPE only, not doing any other research nor interested in doing so). Won't sell for less [than] 60k for an LPE... I don't owe society a single thing. Just want to get rich and give you f**ktards in the west the middlefinger."
Well, we at least know what her motivations are. With that being said, you can see a video the exploit in action in the Twitter embed below:
SandboxEscaper just released this video as well as the POC for a Windows 10 priv esc pic.twitter.com/IZZzVFOBZc— Chase Dardaman (@CharlesDardaman) May 21, 2019
Currently, the task schedule LPE vulnerability is only applicable to Windows 10 (32-bit) systems. However, ZDNet warns that all versions of Windows dating back to the positively ancient Windows XP could possibly be affected. Since Microsoft wasn't given a heads up on SandboxEscaper disclosure, the earliest possible fix won't be delivered until next month's Patch Tuesday (June 11th).