MICROSOFT HAS DONE WHAT MICROSOFT DOES and released an emergency patch for a Windows vulnerability that is bad… like, real bad.
The bug was discovered by Tavis Ormandy, of course, and Natalie Silvanovich of Google's Project Zero. On Twitter, Ormandy said that Microsoft reacted to his warning swiftly and issued a patch that seems to do what is needed to protect Windows users. He also said that the vulnerability was "crazy bad" and the "worst Windows remote code exec in recent memory".
Microsoft tackled the Ormandy issue in a patch released late on Monday that promises to cover the gap in the Microsoft Malware Protection Engine (MsMpEng), Windows Defender and some other so-called security doodahs.
"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file," it said.
"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system."
In a report released by Project Zero after Microsoft released its patch, the security researchers said that MsMpEng is core to Windows security and that it could be exploited with a specially crafted email. It did not play down the threat.
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥— Tavis Ormandy (@taviso) May 6, 2017
"Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service," it said.
"The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers."
Just released malware protection engine update to— Security Response (@msftsecresponse) May 9, 2017
address RCE vuln - Defender will autoupdate. https://t.co/rzn5QWo6sV
Windows users are advised to embrace the emergency update and get it installed.
"Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products," said the Redmond patch factory.
"For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software." µ
Could face hefty fines and ban in Russia if it fails to comply
What next?! Self-driving planes... oh wait
It's expected to last for 'a number of weeks'