Number: AV19-106
Date: 27 May 2019
The Cyber Centre is aware of recently published Proof of Concepts that expose four new Zero Day vulnerabilities affecting Microsoft Windows (Primarily Windows 10 and Windows Server 2016/2019). The exploitability of these vulnerabilities vary in complexity, though all would require authenticated access to the target system in order to be successful. Nevertheless, a malicious actor could use these as part of an exploitation chain to escalate their privileges after gaining low-privileged access to a system. The four vulnerabilities, along with names they have been given in GitHub and a brief description, are:
- Microsoft Windows Task Scheduler Privilege Escalation Vulnerability (bearlpe): A vulnerability in Microsoft Windows Task Scheduler has been found to allow a low-privileged user to arbitrarily modify files that they do not have authorization to access, including SYSTEM level files
- Internet Explorer 11 Sandbox Escape Vulnerability (sandboxescape): The Internet Explorer 11 vulnerability can be exploited, via .dll injection, to allow for code execution (at the medium integrity access level) via the Internet Explorer process.
- CVE-2019-0841-Bypass: CVE-2019-0841, a Windows AppX Deployment Services privilege escalation vulnerability, was previously patched by Microsoft in May 2019. This Proof of Concept bypasses the patch.
- Windows Installer Bypass (InstallerBypass): The Windows Installer process can be exploited to write files to unauthorized areas by taking advantage of a particular race condition. This Proof of Concept requires user interaction at a precise moment during the installation process, indicating that the vulnerability is difficult to successfully exploit.
Microsoft has not yet announced security updates for these vulnerabilities. CCCS advises that security updates be applied once they are available.
A fifth Zero Day Proof of Concept code vulnerability (angrypolarbearbug2) was later determined to have been already fixed as part of the May 2019 Patch Tuesday security updates (CVE-2019-0863).
Note to Readers
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada’s national authority on cyber security and we lead the government’s response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.