Google Project Zero researchers Tavis and Natalie have stumped on what they call a “crazy bad” loophole in Microsoft’s built-in Windows anti-malware software.
Over the weekend, Ormandy and Silvanovich announced their discovery on Twitter causing fears that users were susceptible to attacks over email.
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.
— Tavis Ormandy (@taviso) May 6, 2017
It is a particular cause for concern as it can compromise your system without the user even opening or reading the full email.
Microsoft was made aware of the issue and finally on Tuesday it responded with a fix for the flaw with a critical update which patches the loophole.
After issuing the fix, the company has revealed details of how users were susceptible to attacks by the malware. “There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user,” read a post on Microsoft’s Security TechCenter.
Further, the company stated, “An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
You can take a look at the list of affected applications here:
The fix will reach users over the course of the next two days. Till then you can read Microsoft’s detailed post addressing the problem here.
This article originally appeared on The Next Web