Google Project Zero researcher Tavis Ormandy has a long legacy of finding unknown, critical software vulnerabilities to his credit. So when he calls a new bug the worst in recent memory, it’s likely not hyperbole.
On Saturday, Ormandy tweeted that he and colleague Natalie Silvanovich has found a Windows remote code execution vulnerability that he labeled “crazy bad.”
“Attack works against a default install, don’t need to be on the same LAN and it’s wormable,” Ormandy said in a second tweet.
Ormandy did not share any further details. A request for comment from Microsoft was not returned in time for publication.
Microsoft’s next scheduled release of security updates is tomorrow, meaning it’s unlikely that if Ormandy submitted his report on Saturday that Microsoft would have the time to build and test a patch in order to have it ready for Patch Tuesday.
That means users will have to wait for either an emergency patch release, or the next Patch Tuesday on June 13.
Project Zero has been at the center of a number of high-profile disclosures. The Google bug-hunters’ policy is to give vendors 90 days to acknowledge and patch a vulnerability, or seven days if the flaw is being publicly attacked.
Already this year there have been four serious public disclosures coming out of Project Zero starting with a Cisco WebEx remote code execution vulnerability patched in January after an Ormandy disclosure. Ormandy found a “magic URL” used by the WebEx extension during sessions that could be leveraged to carry out attacks through an iframe.
Several weeks later, Project Zero’s Ivan Fratric, disclosed a high-severity vulnerabilities in Edge and Internet Explorer that could allow for remote code execution. The bugs were privately disclosed in November and went unpatched, triggering Project Zero’s 90-day disclosure policy.
This was also around the time that Microsoft decided to postpone its February Patch Tuesday release, which at the time left a Windows GDI flaw found by Project Zero and a Windows SMB flaw—both of which had already been publicly disclosed—exposed for another month.
As it turned out, the Patch Tuesday postponement may have been related to a large cache of Windows exploits leaked by the ShadowBrokers in April that were patched in the March updates from Microsoft. The company never confirmed a connection, but the bulk of the ShadowBrokers’ leak hovered around the NSA’s interest in exploiting Windows SMB vulnerabilities.
Ormany was also responsible for finding and privately disclosing the Cloudbleed vulnerability to Cloudflare, whose network had been for months prior leaking sensitive data belonging to a number of Cloudflare customers.
Ormandy said three “minor” features in Cloudflare’s service were to blame and had since been turned off. Cloudflare said that the greatest potential impact for leaking sensitive data started Feb. 13, five days before Ormandy’s private disclosure.