Over the past two days, a security researcher who goes by the handle SandBoxEscaper released demo code for three different Windows 10 vulnerabilities. Microsoft already patched at least one exploit, but the company hasn’t commented on the others yet.
In the past year, SandBoxEscaper has published seven different exploits, each of varying degrees of significance and ease of use. Various outlets like Ars Technica and ZDNet are referring to these latest vulnerabilities as “zero-day exploits” but that may not be totally accurate.
The term “zero-day” refers to exploits discovered by outside parties and then either used or published without notifying the relevant company first. Early reports suggested that SandBoxEscaper published all of these exploits without responsible notification to Microsoft, but that appears not to be the case.
RELATED: What Is a “Zero-Day” Exploit, and How Can You Protect Yourself?
ZDNet mentions in an updated version of their article that Microsoft clarified it already patched at least one of these exploits, and linked it to CVE-2019-0863, an exploit credited to “Polar Bear” (another name SandBoxEscaper uses). Microsoft didn’t comment on the other two vulnerabilities.
If you’re wondering how dangerous these exploits are, the answer is a bit of a mixed bag. According to SandBoxEscaper, the vulnerabilities are hard to take advantage of and require local access to the targetted machine. So that limits the usefulness of the exploits.
On the other hand, if a bad actor does gain access to machines to targets, they can cause quite a bit of damage with any of these exploits, as they allow varying ways to elevate privileges, gain SYSTEM access, and execute JavaScript at a level IE11’s sandbox should prevent.
If Microsoft hasn’t already patched all three vulnerabilities, the company needs to make them a focus. [ZDNet]
In Other News
- League Of Legends might come to mobile devices: According to “sources” Tencent and Riot Games may be working on a mobile version of League of Legends. It’s a sensible move given the success of Fortnite on every platform. But until we have more than just unnamed sources, it’s a hope and rumor at best. I call Jarvan IV! [Reuters]
- Razer Forge TV and Ouya say a final goodbye: You may be thinking right now: “What is Razer Forge TV and OUYA?” and that would be the problem. Razer Forge TV was among the first attempt at Android on the TV, and the company pulled it within months. And OUYA promised to change the game with its crowdfunded Android TV console before Razer purchased the company. Neither took off and now Razer says its shutting down their online stores after June 25th, 2019. [9to5Google]
- Panic’s upcoming PlayDate handheld is super cute: Coming from the creators of great Mac software like Coda and Prompt, and indie game creators behind Katamari, is an adorable little handheld with a crank. Look at that
horsegif, it screams of childhood innocence somehow. The PlayDate is set to release in early 2020, and due to a high-end screen and other hardware should retail around $150. [The Verge] - Tesla’s new lane change tech may not be safe: Recently Tesla updated its “Autopilot software” with the capability to automatically change lanes. The company claims the car can do this safer on its own than a human, but Consumer Reports says otherwise. In testing they found the vehicles tried changing lanes in unsafe manners, braking at unexpecting points and cutting off cars with little room to spare. Self-driving cars have a long long way to go. [Consumer Reports]
- Las Vegas awards the Boring Company a $49 million contract: Elon Musk’s other venture, the Boring Company, has happy news. Las Vegas approved a contract to build an underground people mover tunnel, complete with autonomous electric vehicles. If the promise to cut a 15-minute walk to 1 minute holds, CES attendees will be thankful. No word on whether the tunnel comes with complementary flamethrowers. [The Verge]
- Google’s Duplex works really well when it’s not really human: The New York Times gave a test run of Duplex, Google’s A.I. (Artificial Intelligence) booking services that schedule reservations for places like restaurants. When the A.I. actually made the call, the whole process was impressive, and the human on the line couldn’t tell. But sometimes, it wasn’t an A.I. at all. Google says about 25% of Duplex calls are made by a human, not the Duplex A.I., and when even when the A.I. does start the call, a human intervenes in 15% of those cases. [The New York Times]
- Spotify reset some user’s passwords due to suspicious activity: Some users of Spotify received notification that the company reset their passwords. In a somewhat vague clarification to Techcrunch, the company explains they sent the message to some users as a precaution and reminded users not to reuse passwords across websites. Without more information, we can only guess at what’s going on. [TechCrunch]
- Apple sent out media invites for the WWDC keynote: WWDC is fast approaching, and we’re likely to hear about the latest and greatest software updates for iOS, macOS, and so on. Apple sent out media invites for the keynote, taking place on June 3. If you didn’t get a ticket, well it’s too late. You’ll just have to watch from home like the rest of us. [MacRumors]
- GitHub Sponsors is like Patreon for open source code: Github just announced a new “sponsors” program that sounds reminiscent to Patreon or Twitch sponsorships. You can choose an open source developer to send monthly recurring gifts to, and the developers can add reward tiers. Microsoft says it will match $5000 worth donations in a developer’s first year of participation and waive all fees for the next twelve months. It’s not totally clear yet how every aspect will work, however, so keep an eye on more details to come. [GeekWire]
Post a Comment Blogger Facebook
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. As the comments are written and submitted by visitors of The Sheen Blog, they in no way represent the opinion of The Sheen Blog. Let's work together to keep the conversation civil.