However, Microsoft told the Project Zero team that the Control Flow Guard (CFG) security feature lowers the risk of compromise on some of the latest platforms where the feature is enabled. Microsoft has released many such updates, including three major ones: November Update (version 1511), Anniversary Update (version 1607), and Creators Update (version 1703).
At the time, Ormandy only said the vulnerability was "the worst Windows remote code exec in recent memory" and that the issue was "wormable" and even a default installation could be exploited.
In addition to the anti-malware product update, Microsoft today released fixes for risky security flaws in a range of products, from Internet Explorer and Edge to Windows, Microsoft Office, .NET, and of course Adobe Flash Player.
Many anti-malware programs will start a scan if real-time protection is turned on. No extra software is needed for the attack to execute. On PC, the update is labeled "KB4016871" in Windows Update and installing it will bump the build number to 15063.296.
For most consumers, both quality and feature updates are delivered automatically according to their Windows Update settings. That means anything that writes to a hard disk-temp files, downloads, caches, email attachments. everything. The recipient needn't even open the communication for this nasty zero-day bug to work. While Microsoft's solution fixed the immediate problem, it's pretty clear that there's still a big potential security hole. Addressing the discovery in a security advisory this week, Microsoft confirmed that successful exploitation would see the attacker "take control of the system".
"A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption", Microsoft notes. Ormandy sent details of the issue to Microsoft on Friday evening.
Windows 10 is a service, meaning it was built in a very different way from its predecessors so it can be regularly updated with not just fixes but new features, too.
Ormandy today said he was "blown away" by the speed of Microsoft's patch, but he less praise for the way Microsoft's designed its malware scanning engine.
Talking about the new user interface; the Windows 10 Redstone 3 version is expected to boast Project NEON design - which is the company's sleek, new redesigned UI for the operating system. You're looking for engine version 1.1.13704.0 or higher (1.1.13701.0 has the security hole). "MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on".