[Update: Already Fixed!] Google Discovers “Crazy Bad” & “Wormable” RCE Flaw in Windows
Google is at it again! After annoying Microsoft at least twice this year already, Google security experts have found yet another vulnerability in the Windows operating system. The security researchers at Google are calling this new (probably super old) bug a "crazy bad" remote code execution flaw.
Google security researchers find wormable RCE bug in Windows
Tavis Ormandy, a security researcher at Google, started a commotion on Twitter over the weekend when he disclosed having found a serious vulnerability in Windows OS. Since we don't know the severity of this bug, we are going to follow Ormandy's use of "crazy bad" and "worst" to assume it's a pretty critical bug.
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.
— Tavis Ormandy (@taviso) May 6, 2017
Security researcher Natalie Silvanovich along with Ormandy found this bug - both of whom work for Google's Project Zero Initiative that is responsible for discovering and helping companies patch up zero-days. However, the security initiative has also aggrieved a number of annoyed companies who believe Google lives in a La La Land and isn't aware of the on-ground patching situation.
what you guys are missing is that not everyone works at a major company. some have small teams and SLT who doesnt "get it". this creates
— zate (@zate) May 7, 2017
Twitter drama aside, we don't know much about this crazy bad Windows flaw except that:
- It is a remote code execution bug;
- Attacker and target don't need to be on the same LAN;
- Attack works on a default Windows install - hinting that users aren't required to fall for phishing emails or infected exe files;
- And that it's wormable.
From the above details, it certainly looks a crazy bad flaw, however, we will wait for technical details to be disclosed before giving it a red-alert status.
We have reached out to Microsoft for a comment and will update this story when we receive more details on when should users expect the patch. Microsoft's May 2017 Patch Tuesday is scheduled for tomorrow. However, it is unclear if Ormandy tweeted this right after finding the vulnerability or if Microsoft had already received the details - in which case we might get the patch along with the details tomorrow. Ormandy did say the report was on the way, which makes us hope the patch is arriving soon, as well.
In the meantime, there's no reason to panic as Google hasn't disclosed any technical information and if tweets are any hint, the search giant doesn't have any workable exploit, either.
[Update]: Microsoft's response
Microsoft sent the following response to our queries:
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.
However, the company did say that there may be "some more information" available later today. The romantics that we are, we can't help but hope for some juicy details and hopefully the patch to arrive.
[Update 2]: Whoa! It's addressed already
Microsoft has already fixed the Remote Code Execution flaw even ahead of its scheduled Patch Tuesday release.
We released an automatic update to our antimalware engine on Monday, May 8, and customers are protected. More information is available in our security advisory."
Ormandy also acknowledged how fast Microsoft was at fixing this particular bug.
What an amazing response, thanks so much Simon and MSRC! That was incredible work.
— Tavis Ormandy (@taviso) May 9, 2017
Microsoft said that enterprise administrators or end users don't need to install any patch or take any action. Today's informational security advisory is only released "to inform customers that an update to the Microsoft Malware Protection Engine" has addressed the exploit. More details on this bug can be found over here.