• SandboxEscaper drops another Win10 0day on Twitter

    Remember the Task Scheduler ALPC 0day dropped on Twitter at the end of August?

    The same gal, @SandboxEscaper, just dropped another one. On Twitter. No forewarning. No chance for Microsoft to fix it.

    Catalin Cimpanu has a good overview on ZDNet.

    It’s another privilege elevation attack, which means the attacker has to be running on your machine before it kicks in, and the 0day can be used to change the running code from standard to admin.

    The PoC, in particular, was coded to delete files for which a user would normally need admin privileges to do so. With the appropriate modifications, other actions can be taken, experts believe.

    That makes it very mean, but not yet a potent attack.

    Kevin Beaumon, @GossiTheDog, has taken a look at it:

    https://twitter.com/GossiTheDog/status/1054847922452480002

    I’ll update this post with the CVE number as soon as I have it.