Microsoft has rolled out an emergency patch to fix a severe zero-day vulnerability in Windows that involves the operating system's malware scanner.
The bug was discovered and disclosed over the weekend by Tavis Ormandy and Natalie Silvanovich, both of whom are security experts for Google Project Zero.
Windows 'Crazy Bad' Bug Discovered
Ormandy tweeted his discovery with Silvanovich on May 5, claiming that they found the worst remote code execution vulnerability for Windows in recent memory.
"This is crazy bad," Ormandy said, adding that attacks taking advantage of the exploit will work on a default install of Windows. Attacks are not needed to be carried out on the same LAN network and are wormable, meaning that it can replicate itself and spread beyond the computer that it initially infected.
The vulnerability was found in the Microsoft Malware Protection Engine, used by Microsoft's default malware scanner Windows Defender and other security software. After the bug's discovery, a report was sent to Microsoft, which then scrambled to release a fix.
Microsoft has now issued a security advisory for CVE-2017-0290, which is now released. Windows users are highly recommended to check if the patch has been properly downloaded and installed to prevent their computers from being compromised through the vulnerability.
The Danger Of The Zero-Day Bug
Microsoft's rush to release an emergency patch for the discovered zero-day bug is not an overreaction, as the vulnerability presented a massive risk to Windows users.
Attackers who would utilize the exploit can create specially crafted files that can be sent through email or uploaded to websites for distribution. The file, once scanned by Windows malware software, will allow attackers to take over compromised computers.
After successful execution, attackers would be able to install and delete programs in computers, create new user accounts that come with full permissions, and access stored confidential and sensitive information.
The alarming characteristic of the vulnerability is that users do not need to open or even download the attackers' file. The malware scanner of Windows inspects all files that computers come in contact with, which means that computers will be compromised even if the user only visits a website with the file or receives the file as an attachment in an email.
Further increasing the danger of the vulnerability is the fact that many Windows users rely solely on the built-in malware security software of Windows to protect themselves from security breaches. The damage that attackers will be able to do if they can turn Microsoft's own malware scanner into the method through which potentially millions of computers are compromised is unthinkable.
Fortunately, such an incident will no longer happen. Microsoft is now rolling out the patch to fix the zero-day vulnerability, with Windows to automatically install the update as soon as it is available.
The quick response by the Microsoft security team upon learning about the discovery drew praise from Ormandy. Microsoft noted that it has not received any reports of attacks utilizing the exploit, so it seems that the story of the "crazy bad" Windows bug has come to an abrupt end.