By Stuart Nevans Locke:
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.
Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.
The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)