Google's security researchers regularly try to discover vulnerabilities in the company's own software products, as well as those developed by other firms, such as Microsoft and Apple. These efforts are part of Google's Project Zero initiative through which it informs other companies about the vulnerability present in their software products, allowing them 90 days to fix the issue, before details are publicly disclosed.
Back in November 2016, Project Zero revealed a "particularly serious" security flaw in Windows 10 just ten days after detailing it to Microsoft - for which it received lots of backlash. It also disclosed yet another vulnerability in Windows soon after, however, this time after its standard 90-day deadline had passed. Now, a Google security researcher has discovered what he terms a "crazy bad" exploit in Windows which has the capacity to easily spread.
Tavis Ormandy, a security researcher at Google, has tweeted the following:
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. ???
— Tavis Ormandy (@taviso) May 6, 2017
While Ormandy hasn't revealed specific details as of yet - and it is currently unknown which versions of Windows this exploit affects - he has said that the vulnerability works against a default install as well, and can easily spread, regardless if it's on a separate Local Area Network (LAN).
With details currently scarce - and an official report not yet filed in Google's Project Zero directory - it is remains to be seen how serious the exploit really is. Seeing that Microsoft's Patch Tuesday is just around the corner as well, the company will be hoping that if the issue is legitimate, it has enough time to fix it before tomorrow.
Source: Tavis Ormandy (Twitter) via On MSFT
40 Comments - Add comment