Update Windows Security software to protect against a serious vulnerability - gHacks Tech News

Update Windows Security software to protect against a serious vulnerability

Microsoft published information about a new security vulnerability that affects Windows Defender, Microsoft Security Essentials, and several Enterprise-specific anti-malware solutions.

CVE-2018-0986, Microsoft Malware Protection Engine Remote Code Execution Vulnerability, describes a vulnerability in the Microsoft Malware Protection Engine that attackers could exploit to execute code on the system.

What makes the vulnerability particularly problematic is that it can be triggered by Microsoft security software scanning a specially crafted file. In other words, the attack works without user interaction provided that the file finds its way on to the target system (for instance via a download).

windows security vulnerability

Microsoft lists several scenarios that attackers could exploit. Attackers could use websites to deliver specially crafted files to users, attach them to emails or messaging programs. One of the easiest options that attackers have at their disposal is to attack user systems through specially crafted JavaScript files loaded when a user opens a site in a web browser.

Microsoft anti-malware products are configured to scan files automatically by default.  The file the attack is carried out with would be scanned immediately on systems with real-time protection enabled.

Microsoft released an update for all affected products that corrects the security issue. Windows systems with the engine version 1.1.14700.5 or later are protected from the vulnerability.

You can verify the version on consumer versions of Windows in the following way (thanks Woody)

  • Windows 10: Use Windows-I to open the Settings application and go to Update & Security > Windows Defender.
  • Windows 8.1: Tap on the Windows-key to open the Start Menu. Type Windows Defender and select the result. Select Help > About in the program window.
  • Windows 7: Open the Start Menu with a click. Type Windows Defender and load the result. Select Help > About.

While it is possible to update definitions manually, updates to Windows Defender's malware engine come through Windows Update. You may want to run a manual check for updates if the reported malware engine is lower than the version the patch was introduced in.

  1. Tap on the Windows-key, type Windows Update, and select the result.
  2. Click on check for updates and follow the instructions.

An article on Bleeping Computer offers more information about the vulnerability. According to information posted on the site, it was a Google security researcher who discovered the flaw in mpengine.dll. Microsoft rates the bug as critical, the highest severity level as successful exploitation of the vulnerability may grant an attacker full control over the system.

Systems with third-party security software and a disabled Windows Defender or other affected Microsoft security product are not affected by the vulnerability. It is still recommended to update the malware engine as soon as possible to the latest version.

Summary
Update Windows Security software to protect against a serious vulnerability
Article Name
Update Windows Security software to protect against a serious vulnerability
Description
Microsoft published information about a new security vulnerability that affects Windows Defender, Microsoft Security Essentials, and several Enterprise-specific anti-malware solutions.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. AAA said on April 4, 2018 at 7:52 pm
    Reply

    Youpieeee! Mine is engine version 1.1.14700.5.
    What a relief! :D

  2. AAA said on April 4, 2018 at 7:54 pm
    Reply

    But, Martin, where’s the anticipated ending of the article? You know that line: “Now, you… what security software do you use? And, is your MS Security System differs from the version above?” :D

  3. AAA said on April 4, 2018 at 8:04 pm
    Reply

    Martin, why did you delete my comment? :(

    1. Martin Brinkmann said on April 4, 2018 at 8:13 pm
      Reply

      I have not deleted your comment. I see two of your comments on the page, did you write more?

      1. John Fenderson said on April 4, 2018 at 10:11 pm
        Reply

        I wonder if it would be wise to put a banner on the page to notify people that there are intermittent issues with the comments, so nobody gets the wrong idea.

      2. AAA said on April 5, 2018 at 3:21 am
        Reply

        Yes. They reappeared again after sometime. Strange. Even when I refreshed the page, they were not there — so I thought you had deleted them. I see them now with the ‘Classic version’ of your site.

      3. Sophie said on April 5, 2018 at 4:41 pm
        Reply

        Comments are in a poor state for a little while now…. very odd.

  4. Sebas said on April 4, 2018 at 8:27 pm
    Reply

    In MSE: Open>Help>About.

    1. Martin Brinkmann said on April 4, 2018 at 8:28 pm
      Reply

      Thanks Sebas!

  5. Bobby Phoenix said on April 4, 2018 at 8:44 pm
    Reply

    Thanks for the heads-up. Mine is showing updated to the correct version, but I haven’t had a Windows Update since 03/22/2018. Maybe it came in through the cumulative updates on that day?

    1. Martin Brinkmann said on April 4, 2018 at 8:57 pm
      Reply

      I’m not 100% sure but Engine updates may not be listed as individual updates as they may have no KB attached to them. Maybe someone with deeper knowledge can chime in and explain this in more detail.

      1. LTL said on April 4, 2018 at 11:44 pm
        Reply

        “Windows Defender updates go through whether you’ve enabled Windows Update or not — they even go through if you’ve turned off the Windows Update service. In theory, you should be receiving the new version today or tomorrow.” according to Woody Leonhard.

      2. chesscanoe said on April 5, 2018 at 12:55 am
        Reply

        I did a manual Check for Windows Update about 22:00 EDT 2018-04-03 and got the Defender level you reference. It was not available earlier that day with a manual check. Windows Update never shows Defender Updates in its history. Instead while in the initial Windows Update screen, click on Defender on the left for current Defender levels.

      3. chesscanoe said on April 5, 2018 at 3:09 am
        Reply

        “about” is the correct link for https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0986 but in words you say CVE-2018-098. It should be 0986.

    2. Richard Allen said on April 5, 2018 at 12:51 am
      Reply

      If you have “Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.265.51.0)” which I downloaded today you should get the new engine version. I have Windows Update set to manual, I checked my engine version number and it was the vulnerable one, downloaded the definition update and verified it includes the new engine.

      As far as Windows Updates go I still haven’t done the March updates. I have Windows Update set to ‘never check’ but it still pulls the definition updates for MSE on Win7.

    3. Richard Allen said on April 5, 2018 at 12:58 am
      Reply

      Sorry, just noticed I have two definition updates today. The first one, about 10 hours ago, I downloaded myself by doing a manual check for updates. Since then MSE received another. The one that included the new engine was: “Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.265.36.0)”.

  6. Pleasecheck said on April 4, 2018 at 9:30 pm
    Reply

    Martin, it says 3 comments but does not show any of them.

    1. Bobby Phoenix said on April 4, 2018 at 10:49 pm
      Reply

      Yeah the comments seem to vanish. A lot of articles show comment counts, but don’t show any even with a page refresh, but I’ll come back a half hour later, and see them. I tried Firefox and Chrome. Same thing.

    2. AAA said on April 5, 2018 at 3:25 am
      Reply

      Use the classic version if viewing on mobile. It works great.

  7. Franck said on April 4, 2018 at 11:27 pm
    Reply

    Thanks a lot for the details and picture !

  8. basicuser said on April 4, 2018 at 11:47 pm
    Reply

    Thanks for the article. Validates my decision to ditch Defender and Security Essentials and surf with JavaScript toggled off.

  9. noone said on April 5, 2018 at 1:20 am
    Reply

    Martin,

    Your article needs a small correction, it says CVE-2018-098 in the second sentence, but it should read CVE-2018-0986.

    Otherwise, it’s a great article, keep up the great work.

  10. Mark Hazard said on April 5, 2018 at 3:14 am
    Reply

    I got a large Windows Defender update of about 33MB yesterday. It was a single update since I had received other Windows Defender updates earlier. Most Windows Defender updates I receive are one to two megabytes but some are larger. Large updates make me nervous since I don’t know what they contain and I don’t want Microsoft snooping through my files, although none are illegal.
    It ‘s the principle of it.

    When I read Woody’s post on his website today, I checked my Windows Defender engine version and it was the updated one.
    I think that the large update was the one which updated the engine.

    1. LTL said on April 5, 2018 at 2:58 pm
      Reply

      @Mark Hazard can you please elaborate how you got the updates?
      Did you make Defender check for updates, or were they installed automatically?

  11. Dave said on April 5, 2018 at 6:54 am
    Reply

    Everyone cries about windows privacy then uses a Microsoft program that scans every file on their pc?

    /eyeroll

    1. Sophie said on April 5, 2018 at 4:43 pm
      Reply

      Yes, they do….which is why Defender has not been allowed to run on any of my Win10 PCs for many months.

      I just don’t get why anyone would use it. Little more than spyware masquerading as…..

  12. TelV said on April 5, 2018 at 9:24 am
    Reply

    I disabled WD a long time ago using Autoruns.

    Malwarebytes takes care of my system security these days.

    1. A different Martin said on April 5, 2018 at 9:28 pm
      Reply

      @TelV:

      I use Kaspersky Free as my primary real-time antivirus but I decided to leave Windows Defender running, since (so far as I know) it doesn’t conflict with any other real-time anti-malware packages* and I have to disable Kaspersky from time to time, e.g., to update VirtualBox extension packs. I want something running in background when Kaspersky protection is off, especially in case I forget to turn it back on right away.

      *I remember reading a gHacks article saying that something akin to the old EMET protection was coming to Windows 7’s Windows Defender sometime this summer. If and when that happens, I suppose Windows Defender could start conflicting with Malwarebytes Anti-Exploit, like I *believe* EMET did.

      1. TelV said on April 6, 2018 at 10:11 am
        Reply

        I was lucky in that I purchased a lifetime license to Malwarebytes Premium for $23 about three weeks before the offer ended. So now I don’t have to pay anything for it ever again.

        At the time though it didn’t have an AV function, but I wasn’t too bothered by that because malware has changed now and its main function is to part you from your money whereas before it was just script kiddies who took peverse pleasure in causing havoc with the OS.

        Since version 3.0 though Mbam now includes as AV function and registers itself as the primary antivirus in Windows whereby WD will be terminated anyway.

  13. Test said on April 5, 2018 at 3:48 pm
    Reply

    Testing

  14. Jonnyredhead said on April 5, 2018 at 5:03 pm
    Reply

    Is there a link to manually update windows defender engine for Win7 x64.

  15. A different Martin said on April 5, 2018 at 7:46 pm
    Reply

    I run Windows 7 and I’m confused about a discrepancy between what Martin wrote here and what Woody Leonhard wrote at AskWoody.

    Per Martin:

    “It is still recommended to update the malware engine as soon as possible to the latest version.”

    Per Woody:

    “If you don’t have [the updated Windows Defender Malware Protection Engine] yet, there’s nothing you can do. Windows Defender updates go through whether you’ve enabled Windows Update or not — they even go through if you’ve turned off the Windows Update service. In theory, you should be receiving the new version today or tomorrow. [ https://www.askwoody.com/2018/is-your-machine-running-the-latest-malware-protection-engine/ ]”

    I’m hoping Woody is right, because (like Jonnyredhead) I haven’t seen a method for manually updating, and I’m not seeing a way to pick up Windows Defender *engine* updates in WSUS Offline Update (unless they’re classified as a standard Windows 7 security-only updates).

    1. A different Martin said on April 5, 2018 at 9:12 pm
      Reply

      Never mind, I guess. My Windows 7 Windows Defender was an older version when I checked it a couple of hours ago, and it’s up to date now. All *I* did was to manually update Windows Defender definitions (which did not in itself seem to trigger the protection engine update) and to do a WSUS Offline Update run (which ended up installing nothing). I’m *guessing* it really *did* just update itself, even though my Windows Update service is disabled.

    2. Jonnyredhead said on April 6, 2018 at 1:44 am
      Reply

      Mine just updated.

  16. neal said on April 5, 2018 at 9:59 pm
    Reply

    Run command prompt in admin mode and copy and paste this then run. It creates a scheduled task to check updates every hour.

    schtasks /create /tn “Defender Definition Update” /sc HOURLY /ru SYSTEM /rl HIGHEST /tr “‘C:\Program Files\Windows Defender\MpCmdRun.exe’ -SignatureUpdate -MMPC”

  17. LTL said on April 6, 2018 at 1:22 am
    Reply

    I managed to manually update the (disabled by av) Windows Defender engine to version 1.1.14700.5 on my Win7 Pro SP1 x64 doing this (not my invention):
    Log in as admin to temporarily disable your real time av.
    Run: “C:\Program Files\Windows Defender\MSASCui.exe” -Update
    (or whatever your path to it is).

    When I did this this morning, it was only updated to version .4, but when I did it again tonight it updated to version .5

    Good luck

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.