On 6th May, Tavis Ormandy, the Google Project Zero researcher, took to the social media platform Twitter to talk about the latest Windows remote code execution vulnerability. The bug which was found by Ormandy and colleague Natalie Silvanovich has been labeled “crazy bad” by him.
In a second tweet Ormandy mentioned how the attack works against a default install, is wormable and doesn’t need to be on the same LAN as well. No further details were shared by him regarding the bug.
With the next scheduled release of security updates on 9th May, it would be highly unlikely for Microsoft to react on Ormandy’s report in order to build and test a patch in time for Patch Tuesday. Users would most likely have to wait for an emergency patch release or wait until the next Patch Tuesday on 13th June.
The year started with a Cisco WebEx remote code execution vulnerability patched in January post an Ormandy disclosure which was just the first of four major public disclosures coming out of Project Zero till now.
Post this reveal, Ivan Fratic, another Project Zero researcher disclosed a high-severity vulnerability in Edge and Internet Explorer. The bugs went unpatched, against the 90-day disclosure policy of Project Zero.
Another incident happened at the time that Microsoft took a decision to postpone its February Patch Tuesday release.
Project Zero found a Windows GDI flaw and a Windows SMB flaw, which had already been publicly disclosed.
Apparently, the Patch Tuesday postponement might have been related to a greater cache of Windows exploits which was leaked by the ShadowBrokers in April.
Microsoft patched these in the March updates.
The bulk of ShadowBrokers’ leak roamed around the NSA’s interest in exploiting Windows SMB vulnerabilities, but there hasn’t been a confirmation of the same from Microsoft.