Google’s Project Zero finds Windows vulnerability, calls it “crazy bad”

Why it matters to you

Google’s Project Zero just discovered a Windows vulnerability, which highlights the importance of making sure you keep your Windows PC up to date.

Judging by the number of exploits that have surfaced over the last several months, one might be tempted to think that the internet and PCs are generally unprotected and wide open for attack. Whether or not that is actually true, a significant number of highly visible and scary-sounding vulnerabilities have been documented lately.

The latest comes from Google’s Project Zero, which locates flaws in systems like Microsoft Windows and promises to publicize them no later than 90 days after notifying the developer. That team has been true to its word, publishing exploits before they’ve actually been patched, and it has discovered one that it claims is the “worst … in recent memory,” as The The Hacker News reports.

The news came via Project Zero member Tavis Ormandy’s tweet the other day:

I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. ????????????

— Tavis Ormandy (@taviso) May 6, 2017

In a subsequent tweet, Ormandy provided a few more details about the vulnerability:

.@natashenka Attack works against a default install, don't need to be on the same LAN, and it's wormable. ????

— Tavis Ormandy (@taviso) May 6, 2017

Project Zero won’t reveal any additional details about the flaw, because of its own 90-day disclosure deadline. Presumably, Project Zero has passed the information along to Microsoft, which is hopefully in the process of determining how best to fix the exploit. While Microsoft may not be able to provide a fix in this month’s Patch Tuesday security update scheduled for May 9, it would still have at least one more Patch Tuesday to issue a fix before Project Zero makes the vulnerability public.

Microsoft has been a Project Zero target in the past, including some instances where a vulnerability was publicized before Microsoft issued a patch. The Google team has therefore been a target of some general angst around its policies, even as it has likely succeeded in prodding developers to move expeditiously in fixing flaws in their code.

Natalie Silvanovich, another Project Zero member, responded to just these sorts of concerns with a tweet of her own:

If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your organization

— Natalie Silvanovich (@natashenka) May 6, 2017

This particular vulnerability serves as a reminder to make sure to keep your PCs updated with the latest security patches, and to ensure that your malware software is also up to date. While this vulnerability affects Windows, Apple’s MacOS users are not immune to attack and should take their own precautions as well.