In his report, Ormandy explains that this new vulnerability would allow hackers to take control of the MsMpEng engine’s emulator and achieve all kinds of wrongdoing. The MsMpEng is the anti-malware portion of Windows Defender. For example, hackers would have been able to execute remote code when the Windows Defender would scan an executable sent by email. According to Ormandy, the MsMpEng includes “a full system x86 emulator that is used to execute any untrusted files that look like PE executables.”
A silent Windows Defender fix
Contrary to how he handled the previous flaw, this time Ormandy privately disclosed the vulnerability to Microsoft. Back on May 9th, the researcher posted the vulnerability on Twitter and received heavy criticism for not notifying Microsoft. The company released a security advisory for the previous flaw and then started rolling out an automatic update to MsMpEng. However, this time Microsoft managed to patch the flaw silently. According to Ormandy’s report, he informed Microsoft about this new vulnerability on May 12th. In 17 days the company managed to solve the problem and patch the flaw. Apparently, Google’s bid to encourage rapid fixes has proved to be a success. The Project Zero team promises to publish flaws ninety days after the developer is notified.