Google finds Windows vulnerability, calls it ‘crazy bad’

New info about Microsoft's vulnerability emerges, fix on way to users

Judging by the number of exploits that have surfaced over the last several months, one might be tempted to think that the internet and PCs are generally unprotected and wide open for attack. Whether or not that is actually true, a significant number of highly visible and scary-sounding vulnerabilities have been documented lately.

The latest comes from Google’s Project Zero, which locates flaws in systems like Microsoft Windows and promises to publicize them no later than 90 days after notifying the developer. That team has been true to its word, publishing exploits before they’ve actually been patched, and it has discovered one that it claims is the “worst … in recent memory,” as The The Hacker News reports.

The news came via Project Zero member Tavis Ormandy’s tweet the other day:

In a subsequent tweet, Ormandy provided a few more details about the vulnerability:

Project Zero won’t reveal any additional details about the flaw, because of its own 90-day disclosure deadline. Presumably, Project Zero has passed the information along to Microsoft, which immediately kicked off the process of determining how best to fix the exploit. As Ars Technica reports, Microsoft responded quickly and issued a fix that is now being delivered to affected systems.

Now that the fix is on its way to users, Microsoft itself has shared a description of the fix, which is officially titled CVE-2017-0290. Perhaps ironically, the flaw is in the Microsoft Malware Protection Engine, otherwise known as Windows Defender, in all versions of Windows starting with Windows 7. With an unpatched system, any file that’s sent to a system and then scanned by Windows Defender could be used for an attack that would be executed at the LocalSystem level — in other words, with highly elevated privileges — and could take control of the system.

Because the Malware Protection Engine is updated in the background, users don’t need to do anything to patch an affected system. Updates are usually issued each month, but they can also be sent out immediately whenever needed. You can check that your system has been fixed by opening Windows Defender, going to Settings, then About, and checking your Engine Version. If it is 1.1.13701.0 or later, then you are not affected by the vulnerability.

google project zero discovers serious windows vulnerability defender version
Mark Coppock/Digital Trends
Mark Coppock/Digital Trends

As Ars Technica points out, this vulnerability utilizes one of the weaknesses of anti-malware software in general. Because it has to work at so many levels, and at very high privilege levels, in order to protect a system, it is uniquely vulnerable to many different kinds of attacks. Microsoft implemented a security feature, Control Flow Guard (CFG), in Windows 8.1 and Windows 10 that helps protect against remote execution attacks like this one.

Microsoft has been a Project Zero target in the past, including some instances where a vulnerability was publicized before Microsoft issued a patch. The Google team has therefore been a target of some general angst around its policies, even as it has likely succeeded in prodding developers to move expeditiously in fixing flaws in their code.

Natalie Silvanovich, another Project Zero member, responded to just these sorts of concerns with a tweet of her own:

This particular vulnerability serves as a reminder to make sure to keep your PCs updated with the latest security patches, and to ensure that your malware software is also up to date. While this vulnerability affects Windows, Apple’s MacOS users are not immune to attack and should take their own precautions as well.

Updated on 5-9-2017 by Mark Coppock: Added information about the vulnerability and that Microsoft has issued a fix.

Product Review

“World’s Smartest Camera” is let down by not-so-smart omissions

Ooma Butterfleye’s high quality, auto-adaptive imaging, wire-free operation and free cloud storage delights, but there are some flaws to be aware of, including a lack of proper night vision.

Windows 10 can split and resize windows with ease. Here's how to do it

Windows 10 is a great desktop operating system, and its many window management features are part of the reason why. Here's how to divvy up windows using Snap Assist and other native tools.
Smart Home

White-hat Chinese hackers turn Alexa into a spy, briefly

A team of Chinese researchers revealed this week that they were able to use a cracked Amazon Echo to exploit a series of Alexa interface flaws to take control over an unteuched Echo running on the same network.

A brand-new Mac can be hacked remotely during its first Wi-Fi connection

Researchers discovered a security flaw affecting versions of MacOS prior to 10.13.6 that allows hackers to take control of a Mac during first-time setup and device provisioning. Malicious code can then be injected into the Mac.
Social Media

How to use Adobe Spark Post to spice up your social media images

Images are proven to get more likes than plain text -- but only if those images are good. Adobe Spark post is an AI-powered design program for non-designers. Here's how to use it to take your social media feeds to the next level.

Google One subscriptions offer more cloud storage for low prices, other perks

Can't get enough storage on Google Drive, Photos, or Gmail? Google One is the new way to boost your cloud storage. But it's not just about more space -- Google One comes with a loads of benefits.

A turn for the better: Loupedeck+ adds custom dials, more to Lightroom console

The Loupedeck+ improves on the original Lightroom console by adding welcome customization options and introducing support for Skylum Aurora HDR. What's even better is that it does this all at an even lower price.

Intel serves up ‘Bean Canyon’ NUCs revved with ‘Coffee Lake’ CPUs

Looking for a super-compact PC for streaming media that doesn’t break the bank? Intel updated its NUC family with its new “Bean Canyon” kits. Currently, there are five with a starting price of $300 packing eighth-generation Intel Core…

Save hundreds with the best MacBook deals for August 2018

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.

Lost without 'Print Screen'? Here's how to take a screenshot on a Chromebook

Chrome OS has a number of built-in screenshot options, and can also be used with Chrome screenshot extensions for added flexibility. You have a lot of options, but learning how to take a screenshot on a Chromebook is easy.

Gaming on a laptop has never been better. These are your best options

Gaming desktops are powerful, but they tie you down to your desk. For those of us who prefer a more mobile experience, here are the best gaming laptops on the market, ranging from budget machines to maxed-out, wallet-emptying PCs.

A dead pixel doesn't mean a dead display. Here's how to repair it

Dead pixel got you down? We don't blame you. Check out our guide on how to fix a dead pixel and save yourself that costly screen replacement, or an unwanted trip to your local repair shop.

Asus claims ‘world’s thinnest’ title with its new Zephyrus S gaming laptop

The Republic of Gamers arm at Asus is claiming “world’s thinnest” with the introduction of its new Zephyrus S gaming laptop measuring just 0.58 inches at its thinnest point. The company also revealed the Strix SCAR II.

Intel teases new dedicated graphics card slated for 2020 release

Intel has confirmed plans to launch a dedicated graphics card in 2020. Although precious few details exist for the card at this time, it was silhouetted in a recent Intel video showcased at Siggraph 2018.