If there is one particular thing about software which should be looked into with greater scrutiny, it would be the presence of bugs or exploits. Microsoft’s products have had their fair share of run-ins with such bugs in the past, and this time around, their software engineers have released a patch for an extremely vulnerable Windows zero-day bug. Just how bad is this particular situation? Well, the vulnerability has been described to be the “worst” Windows remote code execution flaw in recent years, and this definitely warrants a quick fix so that no one would like to miss at the risk of having their machines exploited. The zero-day vulnerability was discovered just a few days back, so it is nice to see that work has been done quickly (perhaps not fast enough as deemed by certain quarters) to make sure that a patch is available for users.
Earlier this Monday, Microsoft issued a security advisory for CVE-2017-0290, which is their way of mentioning a remote code execution flaw that will impact the Windows operating system. Who discovered this security vulnerability? Google Project Zero security experts Natalie Silvanovich and Tavis Ormandy were the ones who took to Twitter, sharing about the existence of such a flaw in Microsoft’s Malware Protection Engine (MsMpEng), which is used by Windows Defender and various security products. According to the researcher, he deemed this to be a "crazy bad" bug, citing that it might actually be "the worst Windows remote code exec [execution flaw] in recent memory." Thankfully, Ormandy left it at that without providing any more information, so that Microsoft will be able to have an adequate amount of time to fix the scripting engine memory corruption vulnerability after a private report.
The built-in deployment system and scanner engine that is available across Microsoft's newer products will then send the patch to vendors on its own across the time span of the next 48 hours. Apparently, this “crazy bad” vulnerability opens up the door for attackers to remotely execute code should the Microsoft Malware Protection Engine scan a specially designed file. Upon successful exploitation, these attackers can make their way into the LocalSystem account, which is followed by a full hijack.
Being able to yield such a huge amount of power would allow the very same attackers to gain full control of a system, including the ability to install as well as delete programs, pick up sensitive and personal information, and even create totally new accounts with full user rights, all the while downloading extra malware. According to the Project Zero team, this vulnerability can be used against victims through the simple act of sending an email to users. In fact, the message does not even have to be opened, and neither is there any need to download attachments of any kind in order for the attack to work. This is an extremely disturbing development, and on the consumers’ side, we do hope that Microsoft would have done all that they could in order to restore law and order to the computing world with this patch.