Microsoft Patches Critical Malware Protection Engine Vulnerability

If you've tinkered with the settings to prevent these automatic updates, however, you should install this patch to make sure an attacker can't exploit this now-public vulnerability on your system.

On May 8, Microsoft released an out-of-band fix for the problem, demonstrating unusual swiftness in addressing a serious issue with its software.

Microsoft has explained that if the attacked system has real time protection activated on it, the exploit is immediately triggered when the infected file or files are scanned.

In fact Tavis Ormandy, a vulnerability researcher at Google, said in a tweet "This is insane bad". Further, mpengine contains a component called NScript that evaluates filesystem and network activity that looks like JavaScript for malicious behavior.

The company said in that security advisory that attackers could exploit the vulnerability to "install programs; view, change, or delete data; or create new accounts with full user rights".

Over the weekend, Google's Project Zero researcher Tavis Ormandy tweeted about discovering what he referred to as "the worst Windows remote code exec in recent memory".

Microsoft released the out of band patch Monday evening and revealed the issue (CVE-2017-0290) was in the Microsoft Malware Protection Engine and enables attackers to perform remote code execution (RCE) or trigger a denial of service attack through type confusion and application crashes. Microsoft actually released an emergency update on Monday just hours ahead of today's regularly scheduled "Patch Tuesday" (the 2nd Tuesday of each month) to fix a risky flaw present in most of Microsoft's anti-malware technology that's being called the worst Windows bug in recent memory.

The pair discovered that, NScript, the engine's JavaScript interpreter, doesn't properly validate the properties of messages it scans.

They claimed that vulnerabilities in the Microsoft Malware Protection Engine "are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service". NScript isn't sandboxed and runs at a very high privilege level, and it's used to evaluate untrusted code by default on nearly every modern Windows system.

Users don't have to take any action if their security products are set to the default, which will update their engines and definitions automatically, Microsoft said. "This is as surprising as it sounds".

The vulnerability presents considerable trouble for Windows users-Windows Defender is meant to keep users safe, but trusting the Microsoft-developed program that comes installed by default on all Windows machines actually left users at risk.

Desktop and server Windows deployments might be at risk, especially if real-time protection is turned on in the affected security products.

According to the Project Zero team, the issue was in Microsoft's anti-malware protection engine.

Related:

Comments

Latest news

Second annual Hope 1 in 5 Marathon raises awareness of mental health
Each of us can help change the way the world views mental health by helping create understanding and offering hope. Life is a series of choices, and our lives are often defined by those we make - and others that are made for us.

Teen's plea for free Wendy's nuggets sets retweet record
The money will go to the Dave Thomas Foundation for Adoption , a U.S. charity set up in 1992 by the founder of Wendy's. But here's a trick: ask for free chicken nuggets for life and you'll be all drowning in retweets, apparently.

Saudi Energy Minister Says OPEC Deal May Be Extended Beyond 2017
OPEC and non-OPEC producers are widely expected to announce an extension to cuts in oil output in a meeting on May 25. The price of Brent crude is now trading at $49.12 a barrel while Western Texas Intermediate is at $46.32.

Indians hold on for 3-2 victory over Tigers
He only worked through three innings against the Detroit Tigers , the first time pitching fewer than six frames this season. This week, Norris collected his second win over Cleveland on Monday, holding it to one run over six innings.

Other news