Microsoft has issued patches for a major zero-day vulnerability that, if left unaddressed, could have led hackers to mount large-scale attacks. The bug was found by Google's Project Zero researchers, who in the past have been at the centre of various high-profile disclosures. Project Zero researcher Tavis Ormandy, on 5 May, took to Twitter to report that he and his colleague Natalie Silvanovich had found the "worst" Windows remote code execution vulnerability, which he labelled as "crazy bad".
In his tweets, Ormandy said the attacks worked against a default Windows install (which means victims don't need to download additional software for the system to become vulnerable) and that the attacks are wormable, indicating that they have self-propagation capabilities.
However, just days after Ormandy tweeted about the bug, Microsoft issued a fix. The tech giant said in a security advisory that the vulnerability affected its Malware Protection Engine. According to Microsoft, the zero-day vulnerability had the potential to "allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file".
"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," Microsoft said.
"Vulnerabilities in MsMpEng (Microsoft Malware Protection Engine) are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service," Ormandy wrote in a report. "On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on."
Microsoft's rapid response was lauded by Ormandy, who said he was "blown away" by how quickly Microsoft worked to address the issue. Microsoft said in its advisory that users don't need to install any updates "because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release".