There's a zero-day vulnerability on Microsoft Windows that has been publicly unveiled on Twitter, and the whole thing is a mess. First, a Twitter user with the name SandboxEscaper posted a link to GitHub which appears to contain a proof-of-concept for the vulnerability.
He also posted a short rant in which he says he doesn't want to submit things to Microsoft “ever again”.
Soon after vulnerability analyst at CERT/CC, Will Dormann, confirmed the patch is real and it works, Microsoft jumped in with the usual:
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule,” it told ZDNet.
But then it gets extra interesting. According to ZDNet, the same person that disclosed the vulnerability (or at least someone with the same online alias), tried to sell the vulnerability before letting Microsoft know about it.
A Reddit user with the same name, SandboxEscaper, tried to sell ‘Windows 0days’ multiple times. The posts have been deleted in the meantime.
The zero day allows Windows user accounts with local privileges – system access. It does so by handling Advanced Local Procedure Calls (ALPC) systems, which means the 0day’s impact is limited, but still noteworthy.
Image source: Shutterstock/BeeBright