Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines.
A particularly nasty security flaw exists in Redmond's anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. All are, at this moment, at risk. It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012.
It is possible for hackers to craft files that are booby-trapped with malicious code, and this nasty payload is executed inadvertently and automatically by the scanner while inspecting messages, downloads and other files. The injected code runs with administrative privileges, allowing it to gain full control of the system, install spyware, steal files, and so on.
In other words, while Microsoft's scanner is silently searching your incoming email for malware, it can be tricked into running and installing the very sort of software nasty it's supposed to catch and kill.
On Monday night, in an emergency update, Microsoft fixed the vulnerability in its security packages. This upgrade will be automatically fetched and installed by the scanner engine on your machines, quietly closing the embarrassing security hole over the next two days.
"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file," explained Redmond's security team.
"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
"Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration."
The programming blunder – CVE-2017-0290 – was discovered and reported to Redmond by Google Project Zero's Natalie Silvanovich and Tavis Ormandy. The latter described the bug as "the worst Windows remote code [execution] in recent memory. This is crazy bad."
Ahead of tonight's drama, Ormandy tweeted about the bug's existence on Friday evening, and, understandably, gave no further details because at the time there was no patch yet available:
.@natashenka Attack works against a default install, don't need to be on the same LAN, and it's wormable. 🔥— Tavis Ormandy (@taviso) May 6, 2017
Sources familiar with the matter told The Reg that Ormandy contacted the Windows giant before tweeting.
It was feared this vulnerability – even though details were scant – would remain unpatched for potentially weeks or months. Earlier, we asked Microsoft if it could share a timetable for the fix's release so that IT admins could plan downtimes and update cycles.
In response, Microsoft spokespeople told us: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
So, basically, jog on, nerds. But as it turns out Microsoft was faster off the ball than expected. "Still blown away at how quickly Microsoft Security responded to protect users," said Ormandy on Monday. "I can't give enough kudos. Amazing."
An easy way for attackers to exploit the scanner bug would be to send malicious malware-laden files to a victim as an attachment on an email or instant message, or an automatic download from a webpage, which would be automatically scanned on arrival – and trigger an infection.
Ormandy's early warning of the bug, just before the weekend, sparked a torrent of whining from some in the infosec world, who felt the researcher was playing his own game with the news.
Ormandy has done this sort of teasing before. Twice in the past few months, he has warned of flaws in the LastPass password manager. In both cases, the software maker's engineers spent their weekends getting security updates built and out the door.
But there is nothing irresponsible about such disclosure. To be responsible, researchers have to inform the writers of the flawed software with full details and preferably a proof of concept for exploiting it. Once that's done, they can talk about the flaw tangentially, but not give clues as to how it works for fear of alerting exploit writers and malware-slinging scumbags.
That didn't stop many people online accusing the duo of being reckless – for, one, warning of the existence of a bug early, and causing worry among IT managers and normal folk – and, two, for doing it on a Friday night when everyone has gone home or to the bar.
On that first point, the complainers are dead wrong – in some cases, going public forces companies into action. Over the years we've seen multiple examples of organizations getting word of flaws and dragging their feet for months, or even years, before fixing issues that malware developers may already have spotted.
On the second point, well, we hate to break it to you but all software has bugs – especially Microsoft's code. There are any number of horrible remote code execution flaws in Windows and Office right now, sitting there waiting for white and black hats to find and exploit. Being told, yes, there is definitely a bad bug lurking in among the ones and zeroes doesn't make you less secure.
Short of something overly drastic, there isn't really anything you can do until the patch lands – it just would be helpful if Microsoft gave folks a heads up.
If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your organization— Natalie Silvanovich (@natashenka) May 6, 2017
The Windows maker should be counting its blessings. It just received a free flaw report that could have cost them a lot in bug bounties, and was able to quietly, on a Monday evening while most of the Western world was asleep or commuting home, slip out a fix. ®