News broke early this week that Microsoft had their hands full last weekend when Google’s Project Zero researcher Tavis Ormandy claimed on Twitter that he and fellow researcher Natalie Silvanovich had discovered a “crazy bad” Windows bug. He further went on to call it “The worst Windows remote code exec in recent memory.”
In the security update that followed, Microsoft revealed the details of the bug, and no, Ormandy was not kidding about how serious it was.
After reviewing the bug, Core Security systems engineer Bobby Kuzma concurred with Ormandy, stating “This was, in fact, crazy bad.”
What made this bug particularly dangerous is not the scope of the damage it could cause, but also because it had the ability to undermine Windows Defender, the antivirus system built into Microsoft’s operating system. This would give it the ability to not only hack into the many millions of devices using Windows Defender, by leveraging the using its sweeping permissions to gain digital access, without the user having to take any action.
As Project Zero’s report underscores, all a hacker would have had to do to execute an attack would be to somehow get an illegitimate file onto a device, either by tricking a user into opening an email or visiting a harmful website. And since Microsoft’s antivirus checks all incoming files, including unopened attachments, you may not even have to click on an infected link to fall prey, as the act of the antivirus scanning the file is actually what activates it and allows it to take root access.
Through Ormandy’s discernment and Microsoft’s quick action to rectify the bug, it looks like most users should be protected after the update. It is still a scary reminder of the risks that any software puts your system under.
In order for an antivirus to do its job correctly, it needs access to every nook and cranny of your computer. But the trade-off in this equation is that if the antivirus is ever compromised, your entire system becomes vulnerable.
To think of security software being leveraged to compromise your machine instead of protecting it, is ironic to say the least, but similar vulnerabilities have been found in the past with other security products including Symantec, McAfee, FireEye and others. “Because of what they do, AV products are really complex and have to touch a lot of things that are untrusted,” says Kuzma. “This is the kind of vulnerability we’ve seen time and again.”
At the end of the day, it’s a compromise we have to make, because some security is better than none. As long as there are still watchful eyes alerting the right people of vulnerabilities before the bad guys find them, that’s the best we can hope for, at least for now.