Microsoft has rushed out a self-installing patch for a zero-day vulnerability in a Windows security program that allows hackers to take over a computer just by sending an email.
“The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file,” reads the advisory about the patch Microsoft issued Monday.
That means hackers can exploit the flaw simply by sending an email with a specially designed attachment. As soon as the malware engine scans the attachment, the code opens the vulnerability and the attacker can take control.
Remote code execution bugs are considered the most severe kind of security vulnerability, and flaws in security software are often especially bad because of its trusted status on the machine.
The Microsoft security advisory said there was no evidence the vulnerability— designated CVE-2017-0920 — “had been publicly used to attack customers” at the time of publication.
The company added that no action would be needed by end-users to apply the patch, since the security software automatically updates itself.
“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours,” states the advisory.
“The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”
The bug was discovered by Google Project Zero researchers, who said — in a coordinated disclosure — that the target wouldn’t even have to open the attachment or read the email. Because the Malware Protection Engine, or “mpengine” is designed to stop bad code before it executes, it has a “filesystem mini-filter to intercept and inspect all system … activity,” so anytime the computer starts writing data “to anywhere on disk (e.g. caches, temporary internet files, downloads — even unconfirmed downloads — attachments, etc)” the engine’s functionality, thus its vulnerability, is accessed.
This means, explained Project Zero bug hunters Natalie Silvanovich and Tavis Ormandy, that “On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary)…”
Ormandy dropped a hint about the forthcoming disclosure late Friday night in a tweet: I think [Silvanovich] and I just discovered the worst Windows remote code exec[ution flaw] in recent memory. This is crazy bad. Report on the way.”
On Monday, Ormandy praised Microsoft for its response:
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.
— Tavis Ormandy (@taviso) May 9, 2017