Google has been making it a habit of setting a fire under Microsoft’s security team. Often, its Project Zero researchers will find issues and report them to Microsoft to repair. If a fix doesn’t go up within a time limit, the vulnerabilities will be published in a public report. Today, Travis Ormandy announced on Twitter that Google has found “the worst” so far (via Hacker News.)
Ormandy didn’t divulge much more information about the Windows remote code execution besides that it is “crazy bad”, potentially spelling trouble for Microsoft. He continued to explain that attacks against the vulnerability worked against the default install, didn’t need to be on the same LAN, and it’s wormable meaning it can spread. His tweets also came with some complimentary fire emojis, just in case readers weren’t worried enough.
Attack works against a default install, don't need to be on the same LAN, and it's wormable. ????
— Tavis Ormandy (@taviso) May 6, 2017
Once the report is sent to the tech giant, they will be given a 90-day leniency to correct the issue before Google goes public and it becomes an even bigger problem.