By Gordon Kelly
Windows 10 desperately needed changes to its upgrade system and they are finally rolling out. That said, they’re not a magic bullet and Microsoft has now warned users about an update which is going to be hit multiple times over the next few weeks, and before the company can do anything about it.
The threat comes from SandboxEscaper, a well-known exploit broker, who has found multiple holes in Microsoft’s CVE-2019-0841 security update. Moreover, while Microsoft has posted a warning on June 7 and has attempted three fixes so far, SandboxEscaper has now released a fourth and promised to further exploits of it will follow. The result is Microsoft is left playing whack-a-mole and Windows 10 users should be vigilant.
As reported by ZDNet, security research Nabeel Ahmed states that SandboxEscaper has found a way to give anyone with access to a Windows 10 and Server 2019 machine permissions that result in “Full control”. ZDNet notes that Microsoft “will certainly not have enough time to fix this one” for several days and then SandboxEscaper will publish another.
And it is clear SandboxEscaper has found something substantial. ZDNet notes that this is the fourth zero-day LPE (local privilege escalation) the hacker has released this month. It’s not a good look for Microsoft.