Windows 10 desperately needed changes to its upgrade system and they are finally rolling out. That said, they’re not a magic bullet and Microsoft has now warned users about an update which is going to be hit multiple times over the next few weeks, and before the company can do anything about it.
The threat comes from SandboxEscaper, a well-known exploit broker, who has found multiple holes in Microsoft’s CVE-2019-0841 security update. Moreover, while Microsoft has posted a warning on June 7 and has attempted three fixes so far, SandboxEscaper has now released a fourth and promised to further exploits of it will follow. The result is Microsoft is left playing whack-a-mole and Windows 10 users should be vigilant.
As reported by ZDNet, security research Nabeel Ahmed states that SandboxEscaper has found a way to give anyone with access to a Windows 10 and Server 2019 machine permissions that result in “Full control”. ZDNet notes that Microsoft “will certainly not have enough time to fix this one” for several days and then SandboxEscaper will publish another.
And it is clear SandboxEscaper has found something substantial. ZDNet notes that this is the fourth zero-day LPE (local privilege escalation) the hacker has released this month. It’s not a good look for Microsoft.
It also comes on the back of Microsoft’s promise to give Windows 10 users more “control, quality and transparency” over software updates. But the end result is worth reading about because it isn’t quite what you’d expect, and there’s little benefit in Microsoft delivering a stable update anyway (as CVE-2019-0841 was) if it is full of holes.
At least this latest exploit requires someone to already have access to your computer, unlike other Windows 10 updates in the last year which have deleted your personal data, made Windows 10 downgrade itself, broken app updates, crippled gaming performance or made Chromium browsers up to 4x slower.
Microsoft may have finally started to do the right thing by Windows 10 users, but it’s clear there’s still a lot of work to be done in convincing anyone who hasn’t yet upgraded to Windows 10 to take the plunge.