Microsoft Plugs ‘Crazy Bad’ Zero-Day Windows Exploit With Emergency Patch

Windows 10 Bug

A vulnerability researcher at Google is giving props to Microsoft for issuing a quick fix to what he described as a "crazy bad" remote code exploit in the company's malware protection engine. He also said it was the worst of its kind in recent memory, and that is because prior to the patch, a remote attacker could gain full control of a PC simply by sending a malicious email. The recipient needn't even open the communication for this nasty zero-day bug to work.

"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," Microsoft explained in a security advisory (4022344).
This bug is all kinds of nasty. Ormandy pointed out in a separate Twitter post that the attack works against a default install and that it does not need to be on the same local area network. It is also wormable.

Several of Microsoft's anti-malware services use its Malware Protection Engine, including Microsoft Security Essentials, Endpoint Protection, and others. The problem (prior to the patch) relates to NScript, a component of MPE that evaluates all file system and network activity that looks like JavaScript.

"To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds," Ormandy stated in a bug report as part of Google's Project Zero task force.

In short, an attacker could leverage this vulnerability by hiding malicious code in a file that is scanned by Microsoft's security software, including email. Any unpatched Windows 8, Windows 8.1, Windows 10, and Windows Server system is affected by this.
The good news here is that Microsoft was quick to respond with an emergency patch. In addition, Microsoft says that in most cases both enterprise administrators and end users do not need to take any action because updates are typically doled out automatically within 48 hours of release. Even so, if you're running an affected system, it's a good idea to hit up Windows Update.