On Monday, Twitter user SandboxEscaper published news of a zero-day vulnerability in Windows 10 via an angry Twitter post, while also releasing a proof of concept to go along with the bug.
No Existing Workaround
SandboxEscaper found a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface of the Windows task scheduler that can allow a local user to obtain SYSTEM privileges.
CERT/CC has confirmed that the bug works on both the 64-bit version of Windows 10 as well as Windows Server 2016 systems. The bug could also be exploited on other versions of Windows with some modifications. Will Dorman, a CERT/CC analyst, said via Twitter that the bug “works well in a fully patched 64-bit Windows 10 system.” He added that he doesn’t know any workarounds one could use to block attackers from taking advantage of this flaw until Microsoft will issue a patch.
In a statement to Tom’s Hardware, Microsoft implied that a solution may come with the next Update, coming Tuesday, September 11:
“Windows has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”
Dissatisfaction With Microsoft’s Bug Bounty Program
Based on the language SandboxEscaper used in the Tweet, it seems they had a bad experience trying to submit either this bug or previous bugs to Microsoft, leading the researcher to take to Twitter to publicly disclose it.
The researcher also seems to have been trying to sell this bug to others in the past month. Someone with the same “SandboxEscaper” name posted several times on Reddit asking how to sell Windows zero-day bugs. They also mentioned on Twitter that they “can’t wait to sell” bugs in Microsoft’s software.
SandboxEscaper’s behavior is nothing new. Not all of those who find bugs in big companies’ software report them back to the companies. The vulnerability black markets tend to offer much better prices for zero-day bugs and exploits. However, if the price difference doesn’t become too large between what the researchers can get on the black market and what they can get from the software providers, many will still prefer to take the more ethical approach of disclosing the bugs to software vendors.