Last August, a security researcher using the pseudonym SandboxEscaper tweeted news of proof-of-concept code targeting an unpatched security vulnerability in Windows 7 and 10.
Later identified as CVE-2018-8440, the issue was a weakness in Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) function and was fixed by Microsoft just over two weeks later in its September 2018 monthly update after it had been exploited for several days.
A few weeks later and SandboxEscaper was back with a second Windows zero day proof-of-concept (patched in December 2018 as CVE-2018-8584), followed by a third in time for Christmas 2018 (CVE-2019-0863, eventually exploited but not patched until May 2019).
Ironically, it wasn’t the unpatched flaw disclosures that resulted in SandboxEscaper’s Twitter and GitHub accounts being suspended but a quickly deleted December 2018 death threat made against US president Donald Trump that got the attention of the FBI.
But far from silencing SandboxEscaper, if anything this seems to have provoked even more disclosures that Microsoft has been scrambling to fix each time they are dropped.
SandboxEscaper currently takes credit for 21 vulnerability disclosures dating back to 2015, which must make it hard to keep up, not least for SandboxEscaper. As the anonymous researcher says:
I drop so much of my stuff and can’t be bothered to keep track of it all.
Tell that to Microsoft, which in this month’s Windows updates found itself fixing three zero-day disclosures (CVE-2019-1069, CVE-2019-1053, and CVE-2019-0973) released by SandboxEscaper in May 2019 alone.
But it was CVE-2019-0841, patched in April 2019, that proved to be Microsoft’s biggest challenge – what started as “a bug” turned into a saga, as SandboxEscaper revealed successive bypasses for Microsoft patches.
First came a hole dubbed CVE-2019-0841-BYPASS, which was patched this week as CVE-2019-1064.
Then came a bypass of the patch for the bypass of the patch for the original vulnerability.
Patches for patches are rare; patches for patches for patches are rarer still, so when Microsot fixes this latest hole (possibly in the July 2019 Patch Tuesday update), it will surely be hoping that it really has put the issue to bed.
Why is SandboxEscaper devoting so much effort to releasing vulnerabilities in a clearly irresponsible way?
The consensus is that the researcher is either embittered or troubled.
In 2018, SandboxEscaper reportedly expressed a desire to sell flaws for $60,000 in now-deleted GitHub posts, before appearing to admit to giving exploits to “people who hate the US.”
Except, of course, vulnerabilities don’t work in a neat, surgical way – for all SandboxEscaper knows, their exploits could end up being used to attack anyone, including countries unfriendly to the US.
Releasing flaws that have yet to be patched hurts everyone.
Naked Security’s analysis of June’s Windows Patch Tuesday can be found here.