A security researcher has discovered yet another zero-day vulnerability in Microsoft Windows that allows a user to read in unauthorized locations.
The security researcher, known as SandboxEscaper on Twitter, has released details about the vulnerability that affects ReadFile.exe. The file allows reading data from specific locations.
The same researcher previously disclosed exploits for two other zero-day Windows vulnerabilities. After the exposure, all users were vulnerable to being hacked until Microsoft released a patch.
This new vulnerability could allow a low-privileged user to read the content of any file on a targeted computer. This should only be possible with administrator-level privileges.
The vulnerability resides in the ” “MsiAdvertiseProduct” Windows function. “MsiAdvertiseProduct” is responsible for generating “an advertise script or advertises a product to the computer and enables the installer to write to a script the registry and shortcut information used to assign or publish a product.”
According to SandboxEscaper, the function can be used to force an installer service into making a copy of any file as SYSTEM privileges and read its corresponding content. This is known as an arbitrary file read vulnerability and is allowed to occur due to improper validation.
“Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and file names of recently opened documents..,”
“Thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user-created files can be found everywhere.. so not having an enumeration bug is not that big of a deal.”
This is the third zero-day Microsoft Windows vulnerability released in the last four months, which isn’t good news for Microsoft, and many people will be wondering how many more are to come.