We reported two days ago that SandboxEscaper, who had released a number of exploits for Windows 10, was promising to release a few more, and the hacker made good on this yesterday, releasing 3 more unpatched exploits for the operating system and one which was fortunately patched already earlier this month.
According to her blog, SandboxEscaper said she was in the market to sell flaws to “people who hate the US”, apparently in response to FBI subpoenas against her Google account.
The GitHub proof-of-concepts includes three Windows local privilege escalation (LPE) security flaws and a sandbox-escape vulnerability in Internet Explorer 11, although one of the LPEs was patched in Microsoft’s May Patch Tuesday. It appears on at least one occasion SandboxEscaper forwarded details of the flaw to Microsoft.
The bugs include a Local Privilege Escalation bug targetting the Windows Error Reporting service, CVE-2019-0863, which was given a CVSS 3.0 severity score of 7.8 (high).
She also posted a video of REM’s “It’s the end of the world as we know it” and wrote:
“Uploaded the remaining bugs.
burning bridges. I just hate this world.
ps: that last windows error reporting bug was apparently patched this month. Other 4 bugs on github are still 0days. have fun.
For all of our sake, we hope SandboxEscaper feels better soon.