Skip to Content
Security & privacy

Worst Windows bug ever found – Your system is at risk without this patch

People usually rely on security software to protect their systems from cyber threats such as viruses and malware. We trust these programs enough that we typically leave them running in the background, scanning every file received for potential danger.

But what if this very system, that’s supposed to protect your machine, is the vector itself?

Two prominent security researchers discovered a severe vulnerability in the Microsoft Malware Protection Engine (MsMpEng) used by Windows Defender to protect every recent version of Windows from malware.

The security researchers, Tavis Ormandy and Natalie Silvanovic, both from the Google Project Zero team, described the bug as “crazy bad” and may be the “worst Windows remote code exec (execution exploit) in recent memory.”

The remote code execution flaw (assigned as CVE-2017-0290 by Microsoft in its security advisory) could allow an attacker to remotely execute malicious code and take over an entire machine.

The scary part about this exploit is that it doesn’t require any user interaction to execute. Ironically, the exploit uses Windows Defender to launch itself when the malware protection engine scans a specially crafted file.

This means if someone sends a poisoned file via email or instant message, all it takes is for Windows Defender (which is supposed to protect your system) to scan it for the attack to execute. The flaw can likewise be exploited via file sharing, websites, downloads – anything that is automatically scanned by Windows Defender.

According to Ormandy, the exploit is also “wormable,” meaning it can be tweaked to replicate itself and spread to other machines beyond the initial victim.

Additionally, the attack works on any clean, default Windows installation. No extra software is needed for the attack to execute.

Understandably, after disclosing it privately to Microsoft, the researchers have not publicly disclosed any further details about the exploit to give the software maker time to fix it.

Food for thought: Project Zero’s Ormandy gained quite a reputation for scrutinizing and exposing flaws and bugs in popular software. His research and advice are considered valuable in software security circles since he has outed numerous zero-day flaws. Zero-day flaws are exploitable bugs that are previously unknown to the software maker.

Microsoft’s response

Thankfully, Microsoft swiftly issued an emergency patch on Monday to fix this potentially devastating zero-day exploit.

Due to the rapid deployment of the emergency patch, Ormandy praised Microsoft by tweeting that he was impressed by “how quickly @msftsecurity responded to protect users, can’t give enough kudos. ”

Users won’t have to do anything since the patch will be pushed automatically to vulnerable systems. (For an immediate fix, you can also install it manually.)

Microsoft also told the security experts that there is a lower risk of remote code execution in Windows 8.1 and Windows 10 due to Control Flow Guard (CFG), a feature that protects against memory corruption.

To read Microsoft’s security advisory about this exploit, click here.

More must-read news:

Intel chip flaw leaves tons of PCs wide open to hacks

Urgent malware warning issued for popular Mac app

Bank hack affects MILLIONS of customers worldwide

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook