14 DAY TRIAL // Google security experts have managed to discover another unpatched vulnerability in Microsoft’s Windows operating system, and this time it appears there’s something truly dangerous.
Project Zero researchers Tavis Ormandy and Natalie Silvanovich announced during the weekend that they came across what they described as “the worst” RCE in Windows, obviously without providing any other specifics because of the obvious risks.
“I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way,” Tavis Ormandy said on May 6. “Attack works against a default install, don't need to be on the same LAN, and it's wormable,” he continued.
Microsoft hasn’t yet responded to these claims, but the company has been provided with a 90-day window to develop a patch and fix the vulnerability. If no patch is released in the next 3 months, the two researchers will publish the details of the flaw online, as per the policy of the Google Project Zero program.
Google-discovered flaws in Microsoft software
This is not the first vulnerability that Google’s security researchers discover in Microsoft’s products and, more recently, the company has been the target of a public disclosure after it failed to provide a patch in 90 days after being notified.
The most recent case took place in February when Google researchers disclosed the details of a vulnerability impacting Microsoft’s browsers. Microsoft released a fix as part of the next Patch Tuesday cycle, but the company criticized Google for making all details public, explaining that such a decision exposes millions of Windows users out there.
This time, the next Patch Tuesday takes place tomorrow, so there’s a slight chance a fix is already available if the first notification was submitted the past weekend. This means that without an out-of-band patch, Microsoft users would only get a fix for this vulnerability in June, so they’d be left unprotected for more than a month.