The bug open to the public now as the 90-day deadline exceeded, Google’s Project Zero security researcher James Forshaw released a detailed description of the bug along with the PoC.
The severity of the bug is rated as medium and the lockdown policy can be bypassed by using a .NET bug that leads to arbitrary code execution on a system with UMCI enabled.
An arbitrary code execution vulnerability allows a user to create or modify a file in any location that user could not access normally, this vulnerability occurs due to lack of input sanitization.
The bug itself resides in .NET that not behaving well with COM implementations and the .NET object created having a direct impact on the class policy which allows an attacker to add registry keys.
“As .NET then don’t care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution by abusing something like DotNetToJScript,” he said.
The bug affects only the Windows 10S users and it cannot be executed remotely, attackers need to have the code already running on the machine to install the registry entries that exploit this vulnerability, although this could be through an RCE such as a vulnerability in Edge he said.
“The issue isn’t as serious as it might have been if all known avenues for bypass were fixed”, he wrote.