The latest comes from Google’s Project Zero, which locates flaws in systems like Microsoft Windows and promises to publicize them no later than 90 days after notifying the developer. That team has been true to its word, publishing exploits before they’ve actually been patched, and it has discovered one that it claims is the “worst … in recent memory,” as The The Hacker News reports.
The news came via Project Zero member Tavis Ormandy’s tweet the other day:
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥
— Tavis Ormandy (@taviso) May 6, 2017
In a subsequent tweet, Ormandy provided a few more details about the vulnerability:
Attack works against a default install, don't need to be on the same LAN, and it's wormable. 🔥
— Tavis Ormandy (@taviso) May 6, 2017
Project Zero won’t reveal any additional details about the flaw, because of its own 90-day disclosure deadline. Presumably, Project Zero has passed the information along to Microsoft, which immediately kicked off the process of determining how best to fix the exploit. As Ars Technica reports, Microsoft responded quickly and issued a fix that is now being delivered to affected systems.
Now that the fix is on its way to users, Microsoft itself has shared a description of the fix, which is officially titled CVE-2017-0290. Perhaps ironically, the flaw is in the Microsoft Malware Protection Engine, otherwise known as Windows Defender, in all versions of Windows starting with Windows 7. With an unpatched system, any file that’s sent to a system and then scanned by Windows Defender could be used for an attack that would be executed at the LocalSystem level — in other words, with highly elevated privileges — and could take control of the system.
Because the Malware Protection Engine is updated in the background, users don’t need to do anything to patch an affected system. Updates are usually issued each month, but they can also be sent out immediately whenever needed. You can check that your system has been fixed by opening Windows Defender, going to Settings, then About, and checking your Engine Version. If it is 1.1.13701.0 or later, then you are not affected by the vulnerability.
As Ars Technica points out, this vulnerability utilizes one of the weaknesses of anti-malware software in general. Because it has to work at so many levels, and at very high privilege levels, in order to protect a system, it is uniquely vulnerable to many different kinds of attacks. Microsoft implemented a security feature, Control Flow Guard (CFG), in Windows 8.1 and Windows 10 that helps protect against remote execution attacks like this one.
Microsoft has been a Project Zero target in the past, including some instances where a vulnerability was publicized before Microsoft issued a patch. The Google team has therefore been a target of some general angst around its policies, even as it has likely succeeded in prodding developers to move expeditiously in fixing flaws in their code.
Natalie Silvanovich, another Project Zero member, responded to just these sorts of concerns with a tweet of her own:
If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your organization
— Natalie Silvanovich (@natashenka) May 6, 2017
This particular vulnerability serves as a reminder to make sure to keep your PCs updated with the latest security patches, and to ensure that your malware software is also up to date. While this vulnerability affects Windows, Apple’s MacOS users are not immune to attack and should take their own precautions as well.
Updated on 5-9-2017 by Mark Coppock: Added information about the vulnerability and that Microsoft has issued a fix.
