Skip to main content
  1. Home
  2. Computing
  3. News

Google finds Windows vulnerability, calls it ‘crazy bad’

New info about Microsoft's vulnerability emerges, fix on way to users

Add as a preferred source on Google

Judging by the number of exploits that have surfaced over the last several months, one might be tempted to think that the internet and PCs are generally unprotected and wide open for attack. Whether or not that is actually true, a significant number of highly visible and scary-sounding vulnerabilities have been documented lately.

The latest comes from Google’s Project Zero, which locates flaws in systems like Microsoft Windows and promises to publicize them no later than 90 days after notifying the developer. That team has been true to its word, publishing exploits before they’ve actually been patched, and it has discovered one that it claims is the “worst … in recent memory,” as The The Hacker News reports.

Recommended Videos

The news came via Project Zero member Tavis Ormandy’s tweet the other day:

I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥

— Tavis Ormandy (@taviso) May 6, 2017

In a subsequent tweet, Ormandy provided a few more details about the vulnerability:

Attack works against a default install, don't need to be on the same LAN, and it's wormable. 🔥

— Tavis Ormandy (@taviso) May 6, 2017

Project Zero won’t reveal any additional details about the flaw, because of its own 90-day disclosure deadline. Presumably, Project Zero has passed the information along to Microsoft, which immediately kicked off the process of determining how best to fix the exploit. As Ars Technica reports, Microsoft responded quickly and issued a fix that is now being delivered to affected systems.

Now that the fix is on its way to users, Microsoft itself has shared a description of the fix, which is officially titled CVE-2017-0290. Perhaps ironically, the flaw is in the Microsoft Malware Protection Engine, otherwise known as Windows Defender, in all versions of Windows starting with Windows 7. With an unpatched system, any file that’s sent to a system and then scanned by Windows Defender could be used for an attack that would be executed at the LocalSystem level — in other words, with highly elevated privileges — and could take control of the system.

Because the Malware Protection Engine is updated in the background, users don’t need to do anything to patch an affected system. Updates are usually issued each month, but they can also be sent out immediately whenever needed. You can check that your system has been fixed by opening Windows Defender, going to Settings, then About, and checking your Engine Version. If it is 1.1.13701.0 or later, then you are not affected by the vulnerability.

Mark Coppock/Digital Trends
Mark Coppock/Digital Trends

As Ars Technica points out, this vulnerability utilizes one of the weaknesses of anti-malware software in general. Because it has to work at so many levels, and at very high privilege levels, in order to protect a system, it is uniquely vulnerable to many different kinds of attacks. Microsoft implemented a security feature, Control Flow Guard (CFG), in Windows 8.1 and Windows 10 that helps protect against remote execution attacks like this one.

Microsoft has been a Project Zero target in the past, including some instances where a vulnerability was publicized before Microsoft issued a patch. The Google team has therefore been a target of some general angst around its policies, even as it has likely succeeded in prodding developers to move expeditiously in fixing flaws in their code.

Natalie Silvanovich, another Project Zero member, responded to just these sorts of concerns with a tweet of her own:

If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your organization

— Natalie Silvanovich (@natashenka) May 6, 2017

This particular vulnerability serves as a reminder to make sure to keep your PCs updated with the latest security patches, and to ensure that your malware software is also up to date. While this vulnerability affects Windows, Apple’s MacOS users are not immune to attack and should take their own precautions as well.

Updated on 5-9-2017 by Mark Coppock: Added information about the vulnerability and that Microsoft has issued a fix.

Mark Coppock
Former Computing Writer
Mark Coppock is a Freelance Writer at Digital Trends covering primarily laptop and other computing technologies. He has…
Apple’s Hide My Email feature has an unfixed bug that leaves email addresses exposed
100% exploitable in limited testing, known since June 2025, and still unfixed as of today.
apple-merging-sign-in-with-apple-hide-my-email-icloud+

Apple has been selling Hide My Email to keep your real email address hidden, but it has a vulnerability that does the exact opposite. The worst part is that the company has known about it for a year. 

Hide My Email, part of Apple’s paid iCloud+ subscription, lets users generate anonymous email addresses for signing up to a website, so that their personal or work email remains free of promotional emails and spam. 

Read more
I hate sharing my Mac, but a face-unlocking app finally cured my privacy paranoia
Someone finally built the app locker every Mac user has been asking for.
FaceGate in action on Mac

If you have ever handed your Mac to a friend, family member, or coworker for "just a minute," you know the mild panic that follows. Sure, your Mac has a lock screen, but once someone is past it, they can open Messages, Photos, Notes, Mail, WhatsApp, and your browser.

iPhones had the same issue, but Apple solved it by adding an app lock feature with the iOS 18 update. Sadly, no such feature exists for macOS. That’s where the new FaceGate app for Mac can help you. It’s a free and open-source app that lets you lock apps on your Mac and even has some novel tricks up its sleeve. So, let’s talk about it, shall we?

Read more
The charm of a tiny Windows tablet is apparently dead at Microsoft. Long live the Surface Go!
Microsoft’s budget Surface era may be over
Microsoft Surface Go 3 stand.

Microsoft might be cleaning up its Surface lineup. According to Windows Central, Microsoft has stopped manufacturing the Surface Go and Surface Laptop Go lines, with no successors currently planned. Surface Go 4 and Surface Laptop Go 3 are reportedly out of stock in most places, and once remaining retail stock is gone, that may be it.

If this is true, then we are looking at the end of the brand's budget Surface PCs as Microsoft has plenty of premium Windows hardware.

Read more