For many Windows users, Microsoft’s own built-in malware protections are the only thing standing between them and the many bad actors pushing for control of their systems. Today, the company is issuing an emergency update to fix a new, extremely scary vulnerability in the operating system’s anti-malware software that not only has the power to bypass those protections, but to effectively hand over complete control of a user’s computer to a hacker.
The exploit, which was discovered and reported to Microsoft by Google security researcher Tavis Ormandy, requires a “specially crafted file,” which can be sent via email or distributed on compromised websites. The file, when scanned by the Windows malware protection software utilizing the Microsoft Malware Prevention Engine, allows the attacker to gain full control of the system. Once the exploit is successfully executed, the malware allows the installation or deletion of programs, the ability to create new user accounts with full permissions, and gain access to private information wherever it might be stored.
What’s particularly scary about this vulnerability is that the file uses Microsoft’s own anti-malware protections to break into the system, and because Windows is extremely thorough about scanning any and all content a user comes in contact with, even online, the malware file doesn’t even need to be opened for it to work its devious magic. In fact, even getting the file in an email — whether you open the email or view the attachment or not is irrelevant — is enough to open your computer to attackers.
Microsoft’s patch is already being rolled out, and the company says that Windows’ own built-in updates will close the gaping hole behind the scenes without you even realizing it, though it can take up 48 hours for all Windows machines to be free of this frightening oversight.