Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy tweeted about finding the nastiest “Windows remote code exec in recent memory.” The researchers found a flaw in the security tool that is used in all modern Windows systems. The Microsoft Malware Protection Engine enabled complete remote control over a vulnerable PC by just sending an email.
Google researchers called the bug “crazy bad”
According to the Project Zero team, the issue was in Microsoft’s anti-malware protection engine. The engine is supposed to scan files for issues, but it could be tricked by hackers into executing code included in an instant message or email, notes Engadget.
Silvanovich and Ormandy found that an email sent to take complete remote control over a PC did not even require the recipient to open it. Ormandy described the flaw as “the worst [of its kind] in recent memory” and “crazy bad.”
Giving a technical description of the flaw, the researcher explained, “Vulnerabilities in MsMpEng [Microsoft Malware Protection Engine] are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.”
Ormandy said that it could work against a default installation and could become wormable, which means it could replicate itself on a targeted machine and spread to other computers automatically.
The bug is present in almost all the versions under which the Redmond-based company markets its malware protection engine, including its Security Essentials, Endpoint Protection, Windows Defender, System Center Endpoint Protection, Forefront Endpoint Protection, Windows Intune Endpoint Protection, and Forefront Security for SharePoint.
Microsoft fixes Windows Defender bug
Realizing the severity of the issue, Windows Defender developers and Microsoft’s Security Response Center fixed the issue in just two days. The fix is now available via Windows Update for Windows 7, RT, 8.1, 10 and other versions that IT professionals are more familiar with. The Control Flow Guard security feature reduces the risk of this attack on 8.1 and 10, according to the Windows maker.
“If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned,” Microsoft wrote in its advisory.
And if real-time scanning is not enabled, then the hacker would have to wait until a scheduled scan occurs for the vulnerability to be exploited.
Now that the fix is available, users of Windows computers should download the updated version automatically. If you are in a hurry, click the update button and get the update manually. Just check the Windows Defender settings to make sure that your computer has an engine listed with version 1.1.13704.0 or higher, notes Engadget.
According to the company, the update addresses the vulnerability by “correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files.” The bug was quite nasty, but the tech giant is being praised for being so prompt in dealing with the problem and fixing it in just two days.