Microsoft Patches Fatal Flaw in Windows Antivirus Software

Senior editor, security and privacy
Updated

Microsoft last night (May 8) rushed out an emergency patch to fix a grave flaw that could have let hackers disable, or even hijack, Microsoft's own antivirus software with a single malicious tweet.

Credit: Aleksandra Duda/ShutterstockCredit: Aleksandra Duda/Shutterstock

The patch came less than 24 hours before Microsoft's regularly scheduled monthly software updates. The fact that the company didn't want to wait testifies to the severity of the flaw, which had been discovered only Friday by two Google security researchers.

"You know a security hole is serious if Microsoft issues a patch for it just hours before the company is scheduled to release its regular bundle of Patch Tuesday updates," noted independent security blogger Graham Cluley on the Bitdefender security blog.

Users of Windows 7 and later don't need to do anything. The Microsoft antivirus software, called Microsoft Security Essentials in Windows 7 and Windows Defender in Windows 8.1 and 10, will automatically update itself.

However, anyone using Microsoft Security Essentials in Windows XP or Windows Vista should immediately switch to another antivirus provider, as Microsoft no longer supplies security patches to those operating systems.

MORE: Best Antivirus Software and Apps

The flaw has to do with how the Microsoft malware-detection engine, shared by Microsoft Security Essentials and Windows Defender, parses JavaScript, a common coding language used in web pages and other applications.

A malicious JavaScript command fed into the malware-detection engine's code analyzer in just the right way could affect the malware-detection engine itself. The JavaScript could arrive in a web page, instant message, tweet, email or any other format that would be monitored by antivirus software.

That, in turn, could let remote attackers crash, or even take command of, Windows Defender or Microsoft Security Essentials, leaving undefended a system that relied upon either program as its primary antivirus software. Users who used third-party antivirus software would not be affected.

The flaw was discovered by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. Ormandy tweeted out Friday evening (May 5) that he and Silvanovitch had "just discovered the worst Windows remote code exec in recent memory. This is crazy bad."

However, the two initially disclosed details of the flaw only to Microsoft, whose engineers worked over the weekend and finally released a fix and a statement explaining the fix Monday evening (May 8).

At that point, Ormandy and Silvanovich released their own explanation of the flaw. Silvanovich showed that malicious code exploiting the Windows flaw could fit into a single tweet, and Ormandy praised the Microsoft team for getting the very serious, widespread flaw fixed in 72 hours.

"What an amazing response," Ormandy tweeted last night. "That was incredible work. Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing."