‘Crazy bad’ Windows bug used antivirus to infect computers

A recently discovered vulnerability in Windows has been described by security experts as “the worst Windows remote code execution in recent memory.”

It allowed cyber criminals to remotely gain control of a computer running Microsoft’s desktop operating system, without the user actually falling for a scam or doing anything wrong.

The bug, which was discovered by Tavis Ormandy and Natalie Silvanovich, instead targeted the malware protection engine powering Windows Defender.

Attackers were able to hijack a Windows 8, Windows 8.1 or Windows 10 computer by sending a “specially crafted” malicious file to it, via email or instant messenger, for instance.

Rather than protecting users against it, the Microsoft Malware Protection Engine would unintentionally trigger the malware by automatically running a scan on it.

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” wrote Microsoft in a security advisory.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Mr Ormandy, a vulnerability researcher at Google’s Project Zero, described the bug as “crazy bad”.

However, he also praised Microsoft for the speed at which it reacted to the discovery.

The company has issued an update, which is automatically rolling out to users.

You can see if your computer has received the update by launching Windows Defender – search for it on the taskbar if you don't know where to locate it – and opening the Settings menu.

The build version of the program should be 1.1.13704.0 or higher.