A vulnerability researcher at Google is giving props to Microsoft for issuing a quick fix to what he described as a "crazy bad" remote code exploit in the company's malware protection engine. He also said it was the worst of its kind in recent memory, and that is because prior to the patch, a remote attacker could gain full control of a PC simply by sending a malicious email. The recipient needn't even open the communication for this nasty zero-day bug to work.
"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," Microsoft explained in a security advisory (4022344).
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥— Tavis Ormandy (@taviso) May 6, 2017
In short, an attacker could leverage this vulnerability by hiding malicious code in a file that is scanned by Microsoft's security software, including email. Any unpatched Windows 8, Windows 8.1, Windows 10, and Windows Server system is affected by this.
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.— Tavis Ormandy (@taviso) May 9, 2017