“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said Microsoft. A hacker could deliver the file to via a malicious website, email, or instant message for remote delivery.
A Strange Disclosure
It’s a bug that draws parallels to the one Google’s Project Zero discovered back in May. This time, however, the source of the information is much more surprising. The National Cyber Security Center is a unit of the UK’s GCHQ. Though its purpose is to give citizen’s and government cybersecurity advice, the GCHQ itself is much shadier. It’s the agency responsible for spying on millions of U.K. citizens, including MPs, as well as human rights organizations abroad. GCHQ could have easily kept the exploit secret or shared it with MI5, but instead chose to disclose it. In doing so, it ensures a safer environment for government and everybody using Windows. Microsoft notes that the details of the bugs have not been made public, and will be rolling out automatic updates to take care of the issues. The bugs, CVE-2017-11937 and CVE-2017-11940, should have remedies within 48 hours.