Microsoft Patches Fatal Flaw in Windows Antivirus Software

Microsoft last night (May 8) rushed out an emergency patch to fix a grave flaw that could have let hackers disable, or even hijack, Microsoft's own antivirus software with a single malicious tweet.

Credit: Aleksandra Duda/ShutterstockCredit: Aleksandra Duda/Shutterstock

The patch came less than 24 hours before Microsoft's regularly scheduled monthly software updates. The fact that the company didn't want to wait testifies to the severity of the flaw, which had been discovered only Friday by two Google security researchers.

"You know a security hole is serious if Microsoft issues a patch for it just hours before the company is scheduled to release its regular bundle of Patch Tuesday updates," noted independent security blogger Graham Cluley on the Bitdefender security blog.

Users of Windows 7 and later don't need to do anything. The Microsoft antivirus software, called Microsoft Security Essentials in Windows 7 and Windows Defender in Windows 8.1 and 10, will automatically update itself.

However, anyone using Microsoft Security Essentials in Windows XP or Windows Vista should immediately switch to another antivirus provider, as Microsoft no longer supplies security patches to those operating systems.

MORE: Best Antivirus Software and Apps

The flaw has to do with how the Microsoft malware-detection engine, shared by Microsoft Security Essentials and Windows Defender, parses JavaScript, a common coding language used in web pages and other applications.

A malicious JavaScript command fed into the malware-detection engine's code analyzer in just the right way could affect the malware-detection engine itself. The JavaScript could arrive in a web page, instant message, tweet, email or any other format that would be monitored by antivirus software.

That, in turn, could let remote attackers crash, or even take command of, Windows Defender or Microsoft Security Essentials, leaving undefended a system that relied upon either program as its primary antivirus software. Users who used third-party antivirus software would not be affected.

The flaw was discovered by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. Ormandy tweeted out Friday evening (May 5) that he and Silvanovitch had "just discovered the worst Windows remote code exec in recent memory. This is crazy bad."

However, the two initially disclosed details of the flaw only to Microsoft, whose engineers worked over the weekend and finally released a fix and a statement explaining the fix Monday evening (May 8).

At that point, Ormandy and Silvanovich released their own explanation of the flaw. Silvanovich showed that malicious code exploiting the Windows flaw could fit into a single tweet, and Ormandy praised the Microsoft team for getting the very serious, widespread flaw fixed in 72 hours.

"What an amazing response," Ormandy tweeted last night. "That was incredible work. Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing."

Create a new thread in the Antivirus / Security / Privacy forum about this subject
5 comments
    Your comment
  • spikey in tn
    Is this solely a Microsoft problem, or does JavaScript also have a key role that needs addressing?
    0
  • Paul Wagenseil
    Anonymous said:
    Is this solely a Microsoft problem, or does JavaScript also have a key role that needs addressing?


    Bad JavaScript makes this attack possible, but I don't think JavaScript is to blame.
    0
  • spikey in tn
    Anonymous said:
    Anonymous said:
    Is this solely a Microsoft problem, or does JavaScript also have a key role that needs addressing?


    Bad JavaScript makes this attack possible, but I don't think JavaScript is to blame.


    Perhaps I didn't sufficiently differentiate between whether JavaScript was an innocent carrier or an active participant. Regardless of which ultimately proves to be the case, one thing is certain - JavaScript is in the middle, whether actively or passively, of far too many attacks of all kinds. To me it has proven to be a hacker's dream because of how well it serves their purposes.
    0