Following the news that another zero-day vulnerability was discovered in Microsoft’s latest operating systems, security experts commented below.
Rahim Jina, COO and Co-founder at Edgescan:
“Most of the zero-days reported are local privilege escalation vulnerabilities, meaning that they can only be used when someone already has a certain level of access to the target host. Generally these would be considered less of a risk, since someone trying to take advantage of them would need to circumvent some other layer of security first, in order to make use them. Vendors will typically throw most of their security resources at ensuring that system components which can be remotely accessed are the best protected and it is common to find these types of vulnerabilities across systems where local access is required first, in order to attack them.
Having said that, these types of issues are frequently sought-after and utilised by malware, in order to spread and pivot across networks. Indeed, many advanced threat actors such as nation states or even highly sophisticated criminal gangs, may utilise these types of issues to move through specific target organisations. The volume of such issues being found is no surprise, and many many more should be expected!”
Cody Brocious, Head of Hacker Education at HackerOne:
“In terms of damage, these two bugs are both super minimal on their own. The first bug allows for an attacker who already has compromised a user account to then escalate to complete system access; the second allows an attacker to remove protections in Internet Explorer 11 (IE11) if they already have code running as that user (frankly, I wouldn’t even consider this a bug at all). Users should always update to the latest version – which in a few weeks will likely include a fix for the first bug here at least – but nobody should lose a second of sleep over these. There’s nothing at all to worry about here. In theory, the first could be used with another – remotely-exploitable – bug, but the impact to end-users would be approximately zero.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.