Google Project Zero Finds “Crazy Bad” Windows Exploit
Ashley Allen / 3 weeks ago
Google’s bug-hunting team has exposed a serious exploit in Windows 10. A member Project Zero, a group of security analysts that searches for zero-day vulnerabilities, disclosed its existence on Twitter on Monday (8th May). A Google researcher described the security flaw as “crazy bad” and “the worst Windows remote code exec in recent memory.”
“I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way,” tweeted Project Zero researcher. “Attack works against a default install, don’t need to be on the same LAN, and it’s wormable,” he added.
.@natashenka Attack works against a default install, don't need to be on the same LAN, and it's wormable. 🔥
— Tavis Ormandy (@taviso) May 6, 2017
Project Zero has not publicly disclosed the nature of the vulnerability but has presumably notified Microsoft. Today’s monthly Windows Update may even include a patch for it.
Google Has a History of Exposing Windows Vulnerabilities
Google has made a habit of whistleblowing on Windows exploits. Earlier this year, Project Zero exposed a number of serious security issues with Windows 10: three within the space of a month. Project Zero gave Microsoft ample notice – 90 days, as per its policy – to fix the problems before the Google team went public.
Microsoft was none too happy with Google’s disclosure, explaining that public exposure of bugs is bad for users.
“We believe in coordinated vulnerability disclosure, and we’ve had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk,” a Microsoft spokesperson told Ars Technica. “Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”