Last August, a security researcher using the pseudonym SandboxEscaper tweeted news of proof-of-concept code targeting an unpatched security vulnerability in Windows 7 and 10.
Later identified as CVE-2018-8440, the issue was a weakness in Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) function and was fixed by Microsoft just over two weeks later in its September 2018 monthly update after it had been exploited for several days.
A few weeks later and SandboxEscaper was back with a second Windows zero day proof-of-concept (patched in December 2018 as CVE-2018-8584), followed by a third in time for Christmas 2018 (CVE-2019-0863, eventually exploited but not patched until May 2019).
SandboxEscaper currently takes credit for 21 vulnerability disclosures dating back to 2015, which must make it hard to keep up, not least for SandboxEscaper. As the anonymous researcher says:
I drop so much of my stuff and can’t be bothered to keep track of it all.
Tell that to Microsoft, which in this month’s Windows updates found itself fixing three zero-day disclosures (CVE-2019-1069, CVE-2019-1053, and CVE-2019-0973) released by SandboxEscaper in May 2019 alone.
But it was CVE-2019-0841, patched in April 2019, that proved to be Microsoft’s biggest challenge – what started as “a bug” turned into a saga, as SandboxEscaper revealed successive bypasses for Microsoft patches.
First came a hole dubbed CVE-2019-0841-BYPASS, which was patched this week as CVE-2019-1064.
Then came a bypass of the patch for the bypass of the patch for the original vulnerability.
Patches for patches are rare; patches for patches for patches are rarer still, so when Microsot fixes this latest hole (possibly in the July 2019 Patch Tuesday update), it will surely be hoping that it really has put the issue to bed.
Why is SandboxEscaper devoting so much effort to releasing information about vulnerabilities in a clearly irresponsible way? Only she can say, but her public statements reportedly include now-deleted GitHub posts expressing a desire to sell flaws for $60,000 in, and an admission to having given exploits to “people who hate the US.”
Except, of course, vulnerabilities don’t work in a neat, surgical way – for all SandboxEscaper knows, their exploits could end up being used to attack anyone, including countries unfriendly to the US.
Irresponsible disclosure hurts everyone.
Naked Security’s analysis of June’s Windows Patch Tuesday can be found here.
8 comments on “Microsoft’s battle with SandboxEscaper zero days turns into grim Groundhog Day”
SandboxEscaper didn’t learn from the mistakes of US politicians (and the NSA); If you make/give weapons away, they will be pointed at you one day. Those that fail to learn from history, are bound to repeat it…
“Why is SandboxEscaper devoting so much effort to releasing vulnerabilities in a clearly irresponsible way?
The consensus is that the researcher is either embittered or troubled.”
Or it could be because there is only so much everyone needs to be constantly updating and problem-finding for a company with so many resources to handle these things by themselves. How long should you really have to wait until problems are found and fixed before you finally just give up and put them out there. Seems like a half-decent way to light a fire under the butts of companies like this.
“Releasing flaws that have yet to be patched hurts everyone.”
I don’t disagree, but then if they’re not acted on in a responsible way, who the heck cares. At least then it’s not just the bad guys that are informed of the problem.
I changed this sentence to read “Irresponsible disclosure hurts everyone”. Where vendors are intransigent, hackers are sometimes left with no choice but to release information into the public domain, sell their find to a third party or keep quiet. In that situation option #1 is probably the most responsible.
Naked Security clearly has a pro-corporate bias and weak logic to boot. The flaws were released by Microsoft, not SandboxEscaper. SandboxEscaper *revealed* the flaws. Your logic would condemn Erin Brockovich for the groundwater contamination and journalists for the Watergate crimes. Whistleblowers, whether polite and circumspect or brazen and loud, are a crucial public servant. Your doublespeak is obvious.
I’ve changed the sentence to read “releasing information about vulnerabilities”.
Naked Security is for responsible disclosure and against irresponsible disclosure. That’s pro end-user, because they have a reasonable chance to protect themselves (and a better chance of getting a high quality fix), it’s pro-hacker, because they have a chance to earn money for their hard work through bug bounties, and it’s pro-vendor, because they have a reasonable chance to develop a good fix rather than the quickest fix possible.
Where companies are intransigent and refuse to acknowledge repeated attempts to disclose information to them responsibly, there is a case for releasing information into the public domain outside of an organised process. That isn’t what happened here, and that’s why I don’t agree with your comparisons – this isn’t a cover-up, Microsoft aren’t trying to avoid fixing security issues.
It seems to me that Google Project Zero’s 90 day disclosure procedure, and its equal treatment of all vendors regardless of size, and equal treatment of bugs regardless of seriousness, is the least worst compromise between instant, irresponsible, disclosure by hackers and endless, irresponsible, foot dragging by vendors.
“Irresponsible disclosure hurts everyone.” NO! Irresponsible software companies hurt everyone. A company that has the talent and resources to produce secure products, and chooses not to is the problem. I’m surprised and a bit disappointed by your attitude to such an important issue.
Its impossible for companies to write software that does not contain bugs. This is especially true with something as large as Windows. The best we can hope for is responsible disclosure and a quick response from the vendor. Mark’s previous post sums it up very nicely.