Google Project Zero security researchers discover 'crazy bad' Windows exploit
Google’s Project Zero identifies bugs and security flaws in commonly used software, and gives firms 90 days to patch them before going public. This is an approach which doesn’t always go down well -- a case in point being when Google recently released details of a Windows bug after Microsoft failed to patch it in time.
Now two Project Zero security researchers claim to have found a new critical remote code execution (RCE) vulnerability in Windows which they describe as the "worst in recent memory" and "crazy bad".
In a tweet over the weekend, researcher Tavis Ormandy announced that he and fellow researcher Natalie Silvanovich had discovered "the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way."
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥
— Tavis Ormandy (@taviso) May 6, 2017
Ormandy didn’t provide any solid details about the flaw -- doing so would undermine Google's 90-day disclosure policy -- but did reveal that the attack works against a default Windows installation, doesn’t need to be on the same local area network (so could be activated remotely), and is wormable -- meaning it could potentially spread itself.
Let’s hope Microsoft acts swiftly in this case, and the problem is fixed before the deadline expires this time around.