Ormandy tweet

UPDATE [May 9, 2017]: Microsoft has issued a patch for this issue, which affects the Microsoft Malware Protection Engine. You can read more about it here.

Two Google security experts have found a severe remote code execution (RCE) bug in the Windows OS, which they've described as "crazy bad."

The two experts are Natalie Silvanovich and Tavis Ormandy, both working for Project Zero, a Google initiative for discovering and helping patch zero-days in third-party software products.

The two didn't release in-depth details about the vulnerability, but only posted a few cryptic tweets regarding the issue.

"I think @natashenka and I just discovered the worst Windows remote code exec in recent memory," said Ormandy on Saturday, May 6. "This is crazy bad. Report on the way."

Drilled with questions by the Twitter's infosec community, Ormandy later revealed more details:

- the attacker and the victim don't necessarily need to be on the same LAN
- the attack works on a default Windows install, meaning victims don't need to install extra software on their systems to become vulnerable
- the attack is wormable (can self-replicate)

The tweets came days before Microsoft's May 2017 Patch Tuesday, scheduled tomorrow, May 9. The researchers said a report is coming, alluding the vulnerability might be patched this month, and they'll be free to publish their findings.

In the past two years, Ormandy has been one of the most proficient bug hunters out there, discovering zero-days and unpatched vulnerabilities in products such as CloudFlare, LastPass, Bromium's micro-virtualization technology, and multiple antivirus engines such as Kaspersky, ESET, FireEye, Malwarebytes, AVG, Avast, Symantec, Trend Micro, and Comodo.