A significant vulnerability has emerged concerning Microsoft’s Windows operating system, unveiled today by the security researcher known by the Twitter handle SandboxEscaper. This individual has shared a proof-of-concept (PoC) exploit that targets a newly discovered zero-day vulnerability, leaving numerous Windows users at risk.
SandboxEscaper is known for previously disclosing two zero-day vulnerabilities affecting Windows systems, which remained unaddressed until Microsoft issued patches. The current unpatched issue pertains to an arbitrary file read vulnerability, which could enable a low-privileged user or malicious application to access sensitive file content typically restricted to administrator-level permissions.
The vulnerability can be traced to the “MsiAdvertiseProduct” function within the Windows operating system. This function is responsible for generating advertisement scripts and managing registry and shortcut information associated with software installations. Due to inadequate validation, an attacker could manipulate the installer service, compelling it to create a copy of any file with SYSTEM privileges, ultimately facilitating unauthorized file access.
According to SandboxEscaper, even in the absence of an enumeration vector—which often allows for broader exploitation—the implications remain severe. Many document software applications save files in fixed paths that reference the full names of recently accessed documents, potentially exposing sensitive user information. The researcher noted that the interconnected nature of file systems means that references to user files can be ubiquitous throughout the system, diminishing the threat of not having an enumeration bug.
In conjunction with the vulnerability disclosure, SandboxEscaper has released a video demonstration and shared a link to a GitHub page hosting the proof-of-concept for the exploit. However, the researcher’s GitHub account has since been taken down, raising questions about the continued access to this information.
This marks SandboxEscaper’s third significant leak of a Windows zero-day vulnerability within the last few months. In October, the researcher released a PoC for a privilege escalation vulnerability in Microsoft Data Sharing, which allowed low-privileged users to delete critical system files. Earlier in August, a local privilege escalation flaw in the Windows Task Scheduler was exposed, attributed to mismanagement in the handling of Advanced Local Procedure Call (ALPC) services. Following the disclosure of these exploits, evidence indicated that they were being actively exploited in the wild until Microsoft included fixes in their subsequent security patches.
This latest vulnerability highlights potential adversary tactics outlined in the MITRE ATT&CK framework, including initial access through exploiting vulnerabilities, privilege escalation via manipulation of system functions, and data exfiltration through unauthorized file reads. Business owners and cyber security professionals should remain vigilant as the threat landscape evolves and prioritize timely updates to their systems to mitigate risks associated with such vulnerabilities.