It didn't even need opening, just for it to be sent to the Windows machine was enough for the hack to work, Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy reported today.
Ormandy had already described the bug as "crazy bad" and "the worst [of its kind] in recent memory." In a full technical description of the bug, he wrote: "Vulnerabilities in MsMpEng [Microsoft Malware Protection Engine] are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service."
Fortunately, Microsoft has rushed out a patch and all PCs running the vulnerable tool should receive an update today. "If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned," the company wrote in its advisory. "If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.
"The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files."
Microsoft said the update should download automatically and users need not download anything. They can check they received the patch by following the instructions in the company's advisory.
What's the bug?
Ormandy noted that "there is no practical way to identify an exploit at the network level, and administrators should patch as soon as is practically possible."
"It looks fairly severe," added co-founder of Hacker House Matthew Hickey. "The [proof-of-concept hack] demonstrates remote code execution capability in various scenarios: you could exploit a system by uploading a file to [a] web server or sending an email to a Microsoft desktop. The malware protection service is enabled by default in Windows 8 and up. It's a very critical bug.
"It seems this malware protection service might be an Achilles heel in Microsoft security model and system owners should consider disabling it."
Despite the severity, Microsoft is receiving praise for how quickly it dealt with the bug, proving the value of the disclosure process...
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.
— Tavis Ormandy (@taviso) May 9, 2017
Google is making a change to image search today that sounds small but will have a big impact: it’s removing the “view image” button that appeared when you clicked on a picture, which allowed you to open the image alone.
5 years, 1 month ago
Looking for a new job is getting easier. Google today launched a new jobs search feature right on its search result pages that lets you search for jobs across virtually all of the major online job boards like LinkedIn, Monster, WayUp, DirectEmployers, CareerBuilder and Facebook and others. Google will also include job listings its finds on a company’s homepage.
5 years, 9 months ago
Microsoft is launching a new Surface Pro today, and it’s dropping its numbering scheme as a result. While many were expecting a Surface Pro 5, Microsoft’s new tablet / laptop hybrid is simply the Surface Pro from now on.
5 years, 10 months ago