Microsoft’s battle with SandboxEscaper zero days turns into grim Groundhog Day

Last August, a security researcher using the pseudonym SandboxEscaper tweeted news of proof-of-concept code targeting an unpatched security vulnerability in Windows 7 and 10.

Later identified as CVE-2018-8440, the issue was a weakness in Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) function and was fixed by Microsoft just over two weeks later in its September 2018 monthly update after it had been exploited for several days.

A few weeks later and SandboxEscaper was back with a second Windows zero day proof-of-concept (patched in December 2018 as CVE-2018-8584), followed by a third in time for Christmas 2018 (CVE-2019-0863, eventually exploited but not patched until May 2019).

SandboxEscaper currently takes credit for 21 vulnerability disclosures dating back to 2015, which must make it hard to keep up, not least for SandboxEscaper. As the anonymous researcher says:

I drop so much of my stuff and can’t be bothered to keep track of it all.

Moving target

Tell that to Microsoft, which in this month’s Windows updates found itself fixing three zero-day disclosures (CVE-2019-1069, CVE-2019-1053, and CVE-2019-0973) released by SandboxEscaper in May 2019 alone.

But it was CVE-2019-0841, patched in April 2019, that proved to be Microsoft’s biggest challenge – what started as “a bug” turned into a saga, as SandboxEscaper revealed successive bypasses for Microsoft patches.

First came a hole dubbed CVE-2019-0841-BYPASS, which was patched this week as CVE-2019-1064.

Then came a bypass of the patch for the bypass of the patch for the original vulnerability.

Patches for patches are rare; patches for patches for patches are rarer still, so when Microsot fixes this latest hole (possibly in the July 2019 Patch Tuesday update), it will surely be hoping that it really has put the issue to bed.

Why is SandboxEscaper devoting so much effort to releasing information about vulnerabilities in a clearly irresponsible way? Only she can say, but her public statements reportedly include now-deleted GitHub posts expressing a desire to sell flaws for $60,000 in, and an admission to having given exploits to “people who hate the US.”

Except, of course, vulnerabilities don’t work in a neat, surgical way – for all SandboxEscaper knows, their exploits could end up being used to attack anyone, including countries unfriendly to the US.

Irresponsible disclosure hurts everyone.

Naked Security’s analysis of June’s Windows Patch Tuesday can be found here.