To test the discovery, the researcher (SandboxExcaper) run a proof-of-concept (PoC) that shows how a hacker could overwrite “pci.sys” with information collected from the Windows Error Reporting (WER) feedback area. It is worth noting that SandboxEscaper says her PoC has limitations that means it may not function on every PC. One example is the bug will not run on a PC with a single CPU core. She also says the bug is not fast acting because it needs an ideal scenario and can be prevented by several operations. Will Dormann, an analyst for CERT/CC says he could reproduce the bug on Windows 10 Home but confirmed the overwrite exploit does not happen consistently. However, while hackers do value reliability, in this instance it may not be important if the attack could be verified when successful. While the PoC exploited pci.sys, this file is not necessarily the “There’s nothing special about pci.sys. It was just used as an example of a file that shouldn’t be able to be overwritten,” Dormann told BleepingComputer. SandboxEscaper has moved quickly with this exploit. She announced on December 25 that she would roll out the PoC in the New Year. However, in a change of tactic, the details were published two days later on Dec. 27.
Recent Discoveries
The researcher tweeted Microsoft Security Response Center (MSRC) to inform them of the bug. In other words, Microsoft knows and can work on a fix, but it does seem SandboxEscaper didn’t leave the company much time before going public. Perhaps she is tired of finding zero-day vulnerabilities in Microsoft’s systems. In August, SandboxEscaper described Windows 10 flaw that brought a problem in the task scheduler which means bad actors could use local access to change system permissions. She returned in October to highlight a zero-day that could give attackers elevated system privileges. The problem affected the Microsoft Data Sharing (dssvc.dll). This is a Windows 10 service that manages data brokering for applications.