Microsoft Zero Day Proof of Concept Code Advisory

Number: AV19-106
Date: 27 May 2019

The Cyber Centre is aware of recently published Proof of Concepts that expose four new Zero Day Zero dayA zero-day vulnerability is a software vulnerability that is not yet known by the vendor, and therefore has not been mitigated. A zero-day exploit is an attack directed at a zero-day vulnerability. vulnerabilities affecting Microsoft Windows (Primarily Windows 10 and Windows Server 2016/2019). The exploitability of these vulnerabilities vary in complexity, though all would require authenticated access to the target system in order to be successful. Nevertheless, a malicious actor could use these as part of an exploitation chain to escalate their privileges after gaining low-privileged access to a system. The four vulnerabilities, along with names they have been given in GitHub and a brief description, are:

1. Microsoft Windows Task Scheduler Privilege Escalation Vulnerability (bearlpe): A vulnerability in Microsoft Windows Task Scheduler has been found to allow a low-privileged user to arbitrarily modify files that they do not have authorization to access, including SYSTEM level files
2. Internet Explorer 11 Sandbox Escape Vulnerability (sandboxescape): The Internet Explorer 11 vulnerability can be exploited, via .dll injection, to allow for code execution (at the medium integrity access level) via the Internet Explorer process.
3. CVE-2019-0841-Bypass: CVE-2019-0841, a Windows AppX Deployment Services privilege escalation vulnerability, was previously patched by Microsoft in May 2019. This Proof of Concept bypasses the patch.
4. Windows Installer Bypass (InstallerBypass): The Windows Installer process can be exploited to write files to unauthorized areas by taking advantage of a particular race condition. This Proof of Concept requires user interaction at a precise moment during the installation process, indicating that the vulnerability is difficult to successfully exploit.

Microsoft has not yet announced security updates for these vulnerabilities. CCCS advises that security updates be applied once they are available.

A fifth Zero Day Proof of Concept code vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. (angrypolarbearbug2) was later determined to have been already fixed as part of the May 2019 Patch Tuesday security updates (CVE-2019-0863).

Note to Readers

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada’s national authority on cyber security and we lead the government’s response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.