If you've tinkered with the settings to prevent these automatic updates, however, you should install this patch to make sure an attacker can't exploit this now-public vulnerability on your system.
On May 8, Microsoft released an out-of-band fix for the problem, demonstrating unusual swiftness in addressing a serious issue with its software.
Microsoft has explained that if the attacked system has real time protection activated on it, the exploit is immediately triggered when the infected file or files are scanned.
The company said in that security advisory that attackers could exploit the vulnerability to "install programs; view, change, or delete data; or create new accounts with full user rights".
Over the weekend, Google's Project Zero researcher Tavis Ormandy tweeted about discovering what he referred to as "the worst Windows remote code exec in recent memory".
Microsoft released the out of band patch Monday evening and revealed the issue (CVE-2017-0290) was in the Microsoft Malware Protection Engine and enables attackers to perform remote code execution (RCE) or trigger a denial of service attack through type confusion and application crashes. Microsoft actually released an emergency update on Monday just hours ahead of today's regularly scheduled "Patch Tuesday" (the 2nd Tuesday of each month) to fix a risky flaw present in most of Microsoft's anti-malware technology that's being called the worst Windows bug in recent memory.
They claimed that vulnerabilities in the Microsoft Malware Protection Engine "are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service". NScript isn't sandboxed and runs at a very high privilege level, and it's used to evaluate untrusted code by default on nearly every modern Windows system.
Users don't have to take any action if their security products are set to the default, which will update their engines and definitions automatically, Microsoft said. "This is as surprising as it sounds".
The vulnerability presents considerable trouble for Windows users-Windows Defender is meant to keep users safe, but trusting the Microsoft-developed program that comes installed by default on all Windows machines actually left users at risk.
Desktop and server Windows deployments might be at risk, especially if real-time protection is turned on in the affected security products.
According to the Project Zero team, the issue was in Microsoft's anti-malware protection engine.