Microsoft builds emergency patch for severe Windows bug

Criminals could start an attack by simply sending an email to users -- without the need for the message to be opened or any attachments to be downloaded.

Charlie Osborne
Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
3 min read

Windows just got patched.


Microsoft has released a quickly crafted patch to combat a severe zero-day vulnerability discovered only days ago.

Late Monday, the Redmond giant issued a security advisory for CVE-2017-0290, a remote-code execution flaw affecting its Windows operating system.

The vulnerability was disclosed over the weekend by Google Project Zero security experts Natalie Silvanovich and Tavis Ormandy.

On Twitter, prominent vulnerability hunter Ormandy revealed the existence of a zero-day flaw in Microsoft Malware Protection Engine (MsMpEng), used by Windows Defender and other security products.

The researcher tweeted late Friday that he and Silvanovich had "discovered the worst Windows remote code exec in recent memory. This is crazy bad."

Ormandy did not reveal anything else, giving Microsoft time to fix the scripting engine memory corruption vulnerability after they reported it privately. The built-in deployment system and scanner engine in Microsoft's products will issue the patch automatically over the next 48 hours, so more details have been disclosed.

The vulnerability allows attackers to remotely execute code if the Microsoft Malware Protection Engine scans a specially crafted file. When successfully exploited, attackers are able to worm their way into the LocalSystem account and hijack an entire system.

With such power, they have complete control to install or delete programs, steal information, create new accounts with full user rights and download additional malware.

Google's Project Zero team said the vulnerability can be leveraged against victims by simply sending an email to users -- without the need for the message to be opened or any attachments to be downloaded. An attack leveraging the exploit could also be conducted through malicious website visits or instant messaging.

According to Ormandy, the vulnerability could not only be exploited to work against default systems, but is also "wormable." In other words, malware using the exploit can replicate itself and spread beyond the target system.

"Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service," the team said.

Microsoft acknowledged the severity. "If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file [is] scanned," Microsoft said. "If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited."

Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center Endpoint Protection, Microsoft Security Essentials, Windows Defender for Windows 7, Windows Defender for Windows 8.1 and RT 8.1, Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703, and Windows Intune Endpoint Protection are all affected.

However, Microsoft told the Project Zero team that the Control Flow Guard security feature lowers the risk of compromise on some of the latest platforms where the feature is enabled.

Ormandy praised Microsoft for its speed in issuing the emergency patch, tweeting that he was "blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos."

Microsoft said there have been no reports of the issue being exploited in the wild. System administrators do not need to act as Microsoft's internal systems will push the engine updates to vulnerable systems, however, the update can also be applied manually for a quicker fix.

This story originally posted as "Microsoft releases emergency patch for 'crazy bad' Windows zero-day bug" on ZDNet.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.