At approximately 2AM CET a new 0 day exploit was published on github by Sergey Zelenyuk, a self-employed reverse engineer, vulnerability researcher, exploit developer based in Saint Petersburg, Russia.
The exploit requires a special setup and the idea is that an attacker can work their way through a VirtualBox virtual machine to gain root access to the host machine.
This could mean that, potentially, hundreds if not thousands of host machines, could be at risk. The risks include everything from data loss, to personal data stealing and so on.
But aren't 0-day exploits reported to copmanies first?
YES! At least that is what usually happens. Sergey, however seems that is not happy with the current state of information security community and along with the 0-day exploit, explains why he released it to the public and did not keep it more private. The statement is a nice read and really gives a down to earch approach to the whole rockstar Haxor trend that has been around for a while. The statement reads.
"I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:
Wait half a year until a vulnerability is patched is considered fine.
In the bug bounty field these are considered fine:
Wait more than month until a submitted vulnerability is verified and a decision to buy or not to buy is made.
Change the decision on the fly. Today you figured out the bug bounty program will buy bugs in a software, week later you come with bugs and exploits and receive "not interested".
Have not a precise list of software a bug bounty is interested to buy bugs in. Handy for bug bounties, awkward for researchers.
Have not precise lower and upper bounds of vulnerability prices. There are many things influencing a price but researchers need to know what is worth to work on and what is not.
Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating importance of own job as a security researcher; considering yourself "a world saviour". Come down, Your Highness.
I'm exhausted of the first two, therefore my move is full disclosure. Infosec, please move forward."
We are currently waiting for official responses both from companies and from rockstar H4x0rz, to comment both on the exploit and on the state of the Informational Security community. It's gonna be a fun ride!
Below you can find a video showing off said exploit