Researchers Tavis Ormandy and Natalie Silvanovish from Google Project Zero have discovered and reported a remote code execution vulnerability in Windows. This bug is in fact the “worst Windows remote code exec in recent memory”. The researchers also described the bug as “crazy bad”. Having in mind the nature of the flaw, one question should be answered. Will Microsoft succeed in fixing the flaw on the upcoming Patch Tuesday, or will it wait out the 90-day disclosure deadline?
Tavis announced the vulnerability in a tweet just a couple of days ago:
His tweet caused a wave of reactions from fellow researchers all trying to guess the location of the flaw. The researcher hasn’t revealed much about the bug but he did say that “attack works against a default install, don’t need to be on the same LAN, and it’s wormable”. Things are definitely not looking good with this one.
How Does Project Zero Work?
Shortly said, vulnerabilities discovered by the team are reported to the vendors and are made publicly visible after a patch is made available, or if 90 days have passed without a patch being released. This 90-day deadline gives vendors the chance to fix the issue before the flaw goes public so that users can protect themselves and avoid attacks. It’s also a way of implementing responsible vulnerability disclosure.
Unfortunately, Microsoft has often failed to resolve serious bugs before the 90-day deadline.
More about Remote Code Execution
The ability to trigger arbitrary code execution from one computer on another (mostly via the Internet) is widely known as remote code execution. What enable attackers to execute malicious code and gain control over the compromised system is the presence of vulnerabilities. Once the system is under the attackers’ control, they can elevate their privileges.
That being said, the best way to prevent remote code execution attacks is by never allowing vulnerabilities to be exploited. Unfortunately, remote code execution flaws are very often favored by attackers, and that is what makes keeping your operating system up-to-date crucial.
Sadly, there are many cases of vulnerabilities being exploited in the wild before the adequate release of a patch. Because of their severe character, zero-day vulnerabilities are often rated critical. Windows is often prone to zero-day exploits, like CVE-2015-2545 from 2015, found in Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1.