Posted on May 8, 2017 at 5:31 PM
Two of the Google’s Project Zero researchers have announced a remote code execution (RCE) while searching for vulnerabilities in Windows. The researchers are both very well known in the world of zero-days, and their names are Natalie Silvanovich and Tavis Ormandy.
Upon discovering this major flaw during the weekend, they’ve tweeted their discoveries in a very cryptic way, so that Windows would have the time to fix the flaw in the upcoming patch. Ormandy’s tweet has caught the eye of everyone, and in it, he states:
“I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.”
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥
— Tavis Ormandy (@taviso) May 6, 2017
As we previously stated, he did not give any more info about the flaw due to the Google’s policy to give a 90-day deadline to the affected company’s security to patch things up. It’s safe to say that Microsoft now has 90 days to figure it out, and then the official report will be issued by Google. This will probably happen whether the issue has been dealt with or not.
Even though Ormandy didn’t say what the problem is, he did leave several details, in which he states that:
- The victim and the attacker don’t have to be on the same LAN
- The attack works on the Windows default form, which means that the system doesn’t only become vulnerable if some extra software is included
- the attack is wormable, meaning that it can self-replicate
These pieces of information don’t reveal much about the flaw except its existence and a few more info that aren’t exactly pointing the way. Despite this, many of the IT professionals have negatively criticized the act of going public with this information. On the other hand, the Twitter community seems to be very pleased with the job that these two researchers have done.
Natalie Silvanovich has tweeted on this topic, and stated that “If a tweet is causing panic or confusion in your organization, the problem isn’t the tweet, the problem is your organization.”
Google’s researchers have managed to detect flaws in Microsoft’s products before as well, with the most recent incident happening in February this year. The flaw found then unveiled that both the IE and Microsoft Edge have had a flaw that needed to be patched, which helped with securing the browsers even further.
Even though Microsoft jumped at the report and released the patch, they still criticized Google’s decision to go public with the details of the flaw, and expose their users to hackers.
For now, there are no comments on this issue by Microsoft, but it’s presumed that the fix for this latest flaw will be included in their May 2017 Patch that just so happens to be scheduled for tomorrow, May 9th.