Two Google security researchers have found a very critical leak in Windows that allows attackers to remotely execute code on the affected system. The vulnerability was discovered by Natalie Silvanovich and Tavis Ormandy from Google’s Project Zero, a team of hackers that tries to find vulnerabilities in widely used software in order to protect internet users.
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. ???
— Tavis Ormandy (@taviso) May 6, 2017
Ormandy tweets that the vulnerability is, “the worst Windows remote code exec in recent memory. This is crazy bad”. In another tweet he added, “attack works against a default install, don’t need to be on the same LAN, and it’s wormable.”
While Ormandy and Silvanovich don’t provide many more details, they have announced to release a report with details later. This will likely be in about 3 months, as it’s Google policy to give software vendors a 90 day security disclosure deadline to patch their products and disclose it to the public.
Earlier this year Google’s Project Zero also disclosed unpatched vulnerabilities in Windows.