Even with Patch Tuesday less than 24 hours away, Microsoft didn't wait to patch a dangerous Windows remote code...
execution flaw that was discovered by Google's Project Zero just days earlier.
Microsoft released the out-of-band patch Monday evening and revealed the issue (CVE-2017-0290) was in the Microsoft Malware Protection Engine. The flaw enables attackers to perform remote code execution (RCE) or trigger a denial-of-service attack through type confusion and application crashes.
The out-of-band patch comes just three days after Google Project Zero vulnerability researchers Tavis Ormandy and Natalie Silvanovich reported the flaw to Microsoft. The out-of-band patch will be pushed out automatically to users within 48 hours of release.
After the Microsoft advisory regarding the out-of-band patch was posted, the Google Project Zero disclosure became public. And Ormandy added new details on Twitter, saying, "Any service or program that touches the filesystem (IIS, SMB, Exhange [sic], Outlook, IE, etc.) can reach it though, hence RCE."
In the Project Zero disclosure, Ormandy wrote that the flaw affected Windows 8, Windows 8.1, Windows 10 and -- after clarification from Microsoft -- in a more limited way, Windows Server 2016.
"Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service," Ormandy wrote. "MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on. On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on."
Ormandy has a long history of digging through antivirus and antimalware code to find bugs going back to 2011, with issues Ormandy reported in Sophos products and, more recently, with vulnerabilities in Kaspersky and Symantec antivirus engines.
The Project Zero page showed that Ormandy and Silvanovich reported the Windows flaw to Microsoft on May 5, the day Ormandy teased the issue on Twitter.
At the time, Ormandy only said the vulnerability was "the worst Windows remote code [execution] in recent memory," and the issue was "wormable," adding that even a default installation could be exploited. Ormandy's tweet triggered a debate over responsible vulnerability disclosure. Some security professionals criticized Ormandy for announcing the bug discovery on Twitter, while others felt the tweet was harmless because no technical details were divulged.
Ormandy updated the Project Zero page the day it was posted with a response from Microsoft that it was already working on the out-of-band patch. He also repeatedly praised Microsoft for its work on the out-of-band patch on Twitter.
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.— Tavis Ormandy (@taviso) May 9, 2017
Learn what vulnerabilities in antivirus tools mean for enterprise.
Find out about the Symantec antivirus flaws.
Get info on Windows Server security enhancements.