A couple of days ago, Google researcher Travis Ormandy made the following statement on Twitter:
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.
Turns out it wasn’t Windows, per se, but Windows Defender (and Microsoft Security Essentials, in prior Windows versions). And “crazy bad” is apt.
It set into motion an example of “the system” working, and working well, to keep you safe.
The Windows Defender bug
While the details of the bug are naturally complex1, the bottom line is very, very simple: if an attacker managed to get a maliciously-crafted file onto your machine, a Windows Defender scan of that file could be exploited in such a way as to allow what’s called “privilege escalation” and “remote code execution”.
In English: the act of downloading a malicious file could allow an attacker unfettered access to your machine.
In scarier English: files are being downloaded all the time. For example, the simple act of downloading your email or opening a web page causes files to be downloaded to your machine. Unlike normal situations where you need to take action to get infected, you don’t need to see, access, read, or open the email or file; its mere presence is enough.
The solution is simple: ensure that Windows, and in particular, Windows Defender (or Microsoft Security Essentials), is up to date. Make sure automatic updates are on2 or visit Windows Update in Control Panel and “Check for Updates”.
As long as you’re updated, the threat has passed.
To confirm you have the latest updates in Windows 10, open the Settings app, click on Update & Security, and then Windows Defender in the left-hand column. Scroll down until you see “Engine version”.
In Microsoft Security Essentials, this information is present in the Help -> About dialog.
As long as the Engine version is 1.1.13704.0 or later, you’re protected.
So. What happened?
What went wrong?
Very simply, Windows Defender had a bug.
I don’t want to minimize the importance of that bug, or its discovery, but I do want to make an important point:
All software has bugs. No exceptions.
Software is incredibly complex — much more complex than people realize. Bugs — mistakes — are a fact of life. While everything is done to minimize the number of bugs, and the impact of bugs, the fact is that bugs happen.
This isn’t limited to Defender; it’s true of every anti-malware tool. This isn’t limited to Microsoft; it’s true of every software provider.
And every so often, the bug that’s discovered has an impact that’s big, bad, ugly, and scary.
What matters most is what happens next.
What went right?
On May 5th, 2017, he succeeded3, finding a bug in Windows Defender.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
The concept is simple: the vulnerability is kept secret to keep it out of the hands of malware authors until it’s been fixed. A 90-day limit is put on that secrecy to act as a strong incentive for the software vendor to provide a fix for the issue.
Microsoft moved significantly faster than 90 days.
A fast fix
In what may be record time, the Windows Defender team made a fix available in less than 72 hours.
For an organization as large as Microsoft, a product as complex as an anti-malware tool, the sheer number of flavors of Windows (versions, editions, and languages), and particularly with the pressure of knowing the immense scope of the confirmed vulnerability, this is absolutely amazing.
An automated update
I’m sure that one of the motivations for the fast turn-around was to get the fix folded into the already-scheduled “second Tuesday” round of Windows updates.
As I said, there’s a good chance that many people will have been updated and protected against this potential threat before they even realize it exists.
That’s exactly how the system is supposed to work.
My base recommendation for Windows Defender isn’t changing. For most people, it’s quite enough.
If anything, Microsoft’s response has only served to solidify my opinion. As I said, bugs happen, and something like this can happen to any software, including any anti-malware tool. What matters is the response — and the response was exactly as it should be.
It also solidifies my recommendation that you leave automatic updates for Windows Update turned on. This removes any dependence on you even being aware of a problem before it’s fixed.
Again, exactly as it should be.
I’m sure that some will be spooked by this event. That’s also understandable. If that’s you, my only recommendation in this case is that you take the time to research and select a reputable replacement, in the hopes that when they have an issue, their response will be as professional.