Microsoft has patched a severe flaw affecting many Windows machines.
Late Monday, the company issued a fix for a bug in its anti-virus scanner that could be manipulated to remotely control Windows computers.
Researcher Tavis Ormandy called the bug “crazy bad,” in a tweet on Saturday. Ormandy found the flaw with fellow Google Project Zero researcher Natalie Silvanovich and reported it to Microsoft over the weekend. Project Zero is a team of Google researchers who find serious security vulnerabilities in services around the web.
Microsoft quickly fixed the flaw after the duo reported it. The bug existed in the Microsoft Malware Protection Engine, an anti-virus scanner on some Windows machines that regularly looks for suspicious code going through the computer’s network.
To exploit the flaw, an attacker could have written a special piece of code to trigger remote execution because of an error in how the engine read the code. It could be triggered by something as simple as sending an email. Affected software included Windows Defender for Windows 7, 8.1 and 10.
Consumers who use the anti-virus product are automatically protected if they have Windows Update turned on. In a summary of the issue, Microsoft said updates will automatically be applied within 48 hours.