Microsoft Plugs ‘Crazy Bad’ Zero-Day Windows Exploit With Emergency Patch
A vulnerability researcher at Google is giving props to Microsoft for issuing a quick fix to what he described as a "crazy bad" remote code exploit in the company's malware protection engine. He also said it was the worst of its kind in recent memory, and that is because prior to the patch, a remote attacker could gain full control of a PC simply by sending a malicious email. The recipient needn't even open the communication for this nasty zero-day bug to work.
"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," Microsoft explained in a security advisory (4022344).
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥
— Tavis Ormandy (@taviso) May 6, 2017
Several of Microsoft's anti-malware services use its Malware Protection Engine, including Microsoft Security Essentials, Endpoint Protection, and others. The problem (prior to the patch) relates to NScript, a component of MPE that evaluates all file system and network activity that looks like JavaScript.
"To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds," Ormandy stated in a bug report as part of Google's Project Zero task force.
In short, an attacker could leverage this vulnerability by hiding malicious code in a file that is scanned by Microsoft's security software, including email. Any unpatched Windows 8, Windows 8.1, Windows 10, and Windows Server system is affected by this.
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.
— Tavis Ormandy (@taviso) May 9, 2017