Microsoft releases emergency patch for 'crazy bad' Windows zero-day bug

The vulnerability has been dubbed the worst Windows remote code execution flaw in recent memory.
Written by Charlie Osborne, Contributing Writer

Microsoft has released a patch rapidly developed to combat a severe zero-day vulnerability discovered only days ago.

Late Monday, the Redmond giant issued a security advisory for CVE-2017-0290, a remote code execution flaw impacting the Windows operating system.

The security vulnerability was disclosed over the weekend by Google Project Zero security experts Natalie Silvanovich and Tavis Ormandy.

On Twitter, prominent vulnerability hunter Ormandy revealed the existence of a zero-day flaw in Microsoft Malware Protection Engine (MsMpEng), used by Windows Defender and other security products.

The researcher deemed the find a "crazy bad" bug which may be "the worst Windows remote code exec [execution flaw] in recent memory."


Ormandy did not reveal anything else at the time, to give Microsoft time to fix the scripting engine memory corruption vulnerability after it was reported privately.

The built-in deployment system and scanner engine in Microsoft's products will issue the patch to vendors automatically over the next 48 hours and so more details have been disclosed.

The vulnerability allows attackers to remotely execute code if the Microsoft Malware Protection Engine scans a specially crafted file. When successfully exploited, attackers are able to worm their way into the LocalSystem account and hijack an entire system.

With such power, they have complete control to install or delete programs, steal information, create new accounts with full user rights, and download additional malware.

The Project Zero team says the vulnerability can be leveraged against victims by only sending an email to users -- without the need for the message to be opened or any attachments to be downloaded. An attack leveraging the exploit could also be conducted through malicious website visits or instant messaging.

According to Ormandy, the vulnerability could not only be exploited to work against default systems, but is also "wormable." In other words, malware using the exploit can replicate itself and spread beyond the target system.

"Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service," the team says.

"If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned," Microsoft said. "If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited."

See also: Zero day exploits: The smart person's guide (TechRepublic)

Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center Endpoint Protection, Microsoft Security Essentials, Windows Defender for Windows 7, Windows Defender for Windows 8.1 and RT 8.1, Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703, and Windows Intune Endpoint Protection are all affected.

However, Microsoft told the Project Zero team that the Control Flow Guard (CFG) security feature lowers the risk of compromise on some of the latest platforms where the feature is enabled.

Ormandy praised Microsoft for how quickly the emergency patch was issued, saying that he was "blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos."

Microsoft says there have been no reports of the issue being exploited in the wild. System administrators do not need to act as Microsoft's internal systems will push the engine updates to vulnerable systems, however, the update can also be applied manually for a quicker fix.

5 things you should know about VPNs

Editorial standards