The researchers with Google’s Project Zero, Tavis Ormandy and Natalie Silvanovich, have discovered what might be “the worst Windows remote code exec in recent memory.”
They revealed their discovery in a tweet over the weekend.
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.
—Tavis Ormandy (@taviso) May 6, 2017
According to the researchers, Windows has a significant remote code execution security hole that’s “crazy bad.” Ormandy says it has the potential to spread on its own and the attack is effective against default Windows installations.
Project Zero won’t reveal any additional details about the flaw, because of its own 90-day disclosure deadline. Presumably, Project Zero has passed the information along to Microsoft, which is hopefully in the process of determining how best to fix the exploit. While Microsoft may not be able to provide a fix in this month’s Patch Tuesday security update scheduled for May 9, it would still have at least one more Patch Tuesday to issue a fix before Project Zero makes the vulnerability public.