Microsoft published the Security Advisory 4022344 yesterday which informs customers about a security vulnerability in the Malware Protection Engine.
The Microsoft Malware Protection Engine is used by various Microsoft products, including Windows Defender and Microsoft Security Essentials on consumer PCs, and products such as Microsoft Endpoint Protection, Microsoft Forefront, Microsoft System Center Endpoint Protection, or Windows Intune Endpoint Protection on the business side.
All products are affected by a critical vulnerability that allows remote code executions if a program that uses the Microsoft Malware Protection Engine scans a crafted file. Attackers may execute arbitrary code on the system if the vulnerability is exploited successfully.
The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich discovered what Tavis called the "worst Windows remote code exec in recent memory" on May 6th, 2017. The researchers notified Microsoft about the vulnerability, and kept information hidden from the public to give Microsoft 90 days to fix the vulnerability.
Microsoft managed to create a patch for the vulnerability, and has pushed out new versions of Windows Defender and other Microsoft products already to customers.
Windows customers who have any of the mentioned products installed on their devices need to make sure that it is up to date.
On Windows 10 for instance, you'd do that in the following way:
Check the "Engine Version" on the page, and make sure it is at the very least 1.1.13704.0.
Windows Defender updates are available through Windows Update, and Microsoft has published information on how to update the Microsoft Malware Protection Engine on various versions of Windows and in the various products affected by the vulnerability.
The Malware Protection Center on the Microsoft website offers information on updating Microsoft antimalware products manually.
Google released the vulnerability report on the Project Zero website. This makes it even more pressing to update the engine Microsoft's security programs use as attackers may use the information to craft attacks against computer systems that are still vulnerable.
Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.
The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.
Now You: Which security software do you use on your system, and why?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.