This means that the first ever Windows 10 (version 1507) released in July 2015 will no longer receive any security updates from Microsoft. In a series of tweets, Ormandy called the exploit "the worst Windows remote code exec in recent memory" and warned that it is "wormable", meaning it could produce a chain of similar attacks across a number of vulnerable machines.
That, in turn, could let remote attackers crash, or even take command of, Windows Defender or Microsoft Security Essentials, leaving undefended a system that relied upon either program as its primary antivirus software.
The vulnerability was discovered by Google Project Zero cyber-security researchers Tavis Ormandy and Natalie Silvanovich on Saturday, who describe the issue as being related to the "NScript" component of MsMpEng.exe, a core process of Windows Defender that scans downloaded files for spyware and quarantines or removes them.
"Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service", Google said in its bug report. Microsoft actually released an emergency update on Monday just hours ahead of today's regularly scheduled "Patch Tuesday" (the 2nd Tuesday of each month) to fix a unsafe flaw present in most of Microsoft's anti-malware technology that's being called the worst Windows bug in recent memory.
Microsoft has stated that the said update will address the vulnerability that allows RCE when the Protection Engine scans a specifically crafted file.
Understandably, after disclosing it privately to Microsoft, the researchers have not publicly disclosed any further details about the exploit to give the software maker time to fix it.
Attackers can access MpEngine simply by sending emails to users (even just reading the email or opening attachments isn't necessary), or by visiting links in a web browser, instant messaging and so on, according to Ormondy. They found that a particular function in the engine fails to validate message properties from an object before passing it along to a runtime state. "All of this code is accessible to remote attackers". Ormandy says he was "blown away" by how quickly Microsoft responded. However there were still so many users that continued to use these applications to have a classic start menu in the system, something that had not given problems until the arrival of Windows 10 Creators Update. "This is as surprising as it sounds". Set to take place from 10 May to 12 May this year, the registrations for the same are all sold out and this year, like every other one in the past, we are expecting Microsoft to showcase some hardware along with the usual software updates and innovations. It would make sense for the company to showcase some of its features at Build. Rumors suggest the update will include social and productivity enhancements.
Admins and users should check that the Microsoft Malware Protection Engine version is 1.1.10701.0 or later, which are not affected by this bug.