A vulnerability researcher published four previously unreported flaws in Microsoft Windows over three days this week, flaws that could allow a local user to escalate their rights on a compromised system to that of an administrator.
Exploits for the four flaws — plus a fifth vulnerability that Microsoft fixed last week — were posted by the researcher to a GitHub repository using the name SandboxEscaper. The researcher, who has published working zero-day attacks for legitimate vulnerabilities in the past, posted the first exploit on Tuesday, May 21, with two more exploits published on each of the next two days.
The danger from the issues is likely to be low, but the code could be incorporated into popular malware frameworks, says Craig Young, a computer security researcher with Tripwire's Vulnerability and Exposure Research Team (VERT).
"Overall, these vulnerabilities do not markedly change the typical security advice to use a layered approach to security, including endpoint monitoring," he says. "Unlike the Task Scheduler exploit disclosed earlier in the week, these bugs do not require the attacker to know a username and password — meaning that some of them could more realistically be incorporated into malware."
Publishing, or "dropping," unknown vulnerabilities and exploit code used to be a popular way for vulnerability researchers to punish software vendors for a lack of focus on software security or for a lack of response to researchers' vulnerability reports. However, as companies have increasingly taken security more seriously, and the impact of exploited vulnerabilities has grown more d ..