Over the weekend, Google’s Project Zero researcher Tavis Ormandy and Natalie Silvanovich tweeted about discovering what Tavis referred to as “the worst Windows remote code exec in recent memory. This is crazy bad.” This bug could work against a default installation and become a worm that can replicate itself and spread to other computers automatically.
Attack works against a default install, don't need to be on the same LAN, and it's wormable. 🔥
— Tavis Ormandy (@taviso) May 6, 2017
The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
Two days after getting the news of the exploit Microsoft’s Security Response Center and Windows Defender developers deployed a fix that is now available via Windows Update. The versions of Windows affected by this bug are Windows 7, 8.1, RT, and Windows 10. It also affects other anti-malware software typically used by IT departments like Microsoft Forefront Security for SharePoint Service Pack 3, Windows Intune Endpoint Protection, and others. You can see a full list of which security programs that are affected here.
According to the advisory, you should get the update automatically in the background within the next 48 hours, but if you want to stay on top of things head to Settings > Update & security and check for update.
To make sure you have the latest update, head to Settings > Windows Defender and scroll down to the Version info section and make sure your Engine version is 1.1.13704.0 or higher.
Project Zero researchers find security issues and report them to Microsoft to repair within 90 days before Google goes public with the detailed information. Ormandy didn’t reveal any specific of the exploit yet and details about the issue are scarce. Still, it’s good to see Microsoft was able to patch the problem in such a short period of time.
Update: Google has released the vulnerability report on the Project Zero website.