Microsoft Has Google to Thank for Finding Major Zero-Day Vulnerability

NEWS ANALYSIS: A new vulnerability allows malware to subvert the operations of Microsoft’s security software on most current systems.

Microsoft.HQ

Microsoft has Google to thank for revealing a new vulnerability in current versions of Windows, SharePoint and the company's stand-alone security software—a vulnerability so serious that Microsoft rushed through a fix that's already being sent out as an update to Windows.

The vulnerability, which was found by staffers Natalie Silvanovich and Tavis Ormandy of Google Project Zero, works by having the Microsoft security software actually execute the malware while scanning. The exploit can be delivered in an email or an instant message, and because it's executed by the security scan, it would not even need to be opened.

Microsoft has already released a fix to the vulnerability in the automatic updates for its security software. Automatic updating for security works for individual and for enterprise implementations of Windows and other affected products. Because of this, the company isn't recommending any action.

"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file," Microsoft said in the technical note announcing the fix. "An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The Microsoft security advisory provides a list of affected Microsoft products, which include all current versions of Windows 7, 8.1 and 10.

The exploit can be launched when the Malware Protection Engine automatically scans files with Real-time Protection turned on; if that protection is turned off, then the scan happens later when all files are scanned.

Even though Microsoft isn't recommending any action from users, that doesn't mean they have nothing to do to confirm their safety. Any computer that isn't able to receive automatic security updates from Microsoft may still be vulnerable, for example. Such situations could include where security software or hardware prevents the updates from getting through, as well as any machines that are turned off at the time the update was released and aren't turned on right away.

It's also important to confirm that the security update actually happened. The instructions for verifying that the update took place are included in Microsoft's Malware Protection Engine deployment instructions. Basically, when using an affected product, check the Help and About screens for information on the update. Check the specific instructions for details on your version of Windows or other Microsoft products.

Even if users or organizations have third-party anti-malware products installed, they should still allow the update to run. While you may have something else doing the heavy lifting, it's very likely that the Malware Protection Engine is still installed and operating at some level of your computers. The fact that it's there and can still scan the malware means your system may still be vulnerable.

It's worth noting that the security researchers who found this potential exploit said it's "wormable," meaning that it could be implemented as a self-replicating, self-spreading network worm and affect systems that don't directly receive files from the internet.

The good news is that once alerted, Microsoft put forth great effort to fix the vulnerability quickly. The Google team found the vulnerability on May 6, and the fix was sent out three days later. This fast turnaround is remarkable.

What's also remarkable is the level of cooperation between the team at Google Project Zero and Microsoft. Researcher Silvanovich released the finding as a tweet, which was followed by further explanations by Ormandy. The Microsoft security team picked up the alert immediately and worked over the weekend so that the patch could be released on May 9.

I knew something was up when the computers in my office suddenly went into an update process and required a reboot shortly after they were turned on. Normally, my updates arrive at night, and if there's a restart, it happens when they're turned off at night. I also noted that the update took noticeably longer than most. Apparently fixing the vulnerability was more complex than most updates.

The nature of this vulnerability discovery and fix is important because it underscores the value of cooperation in researching security. While some might complain that companies that share data are anti-competitive, the fact is that security is such a huge problem that it needs all available hands working on the issue. The fact that two competitors such as Google and Microsoft can cooperate is critical.

Perhaps more important, it speaks to the only partly successful government attempts to encourage cooperation in security. Companies can work together for the benefit of all, provided they're allowed to do so.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...