Thursday, 24 May 2018
Latest news
Main » Microsoft fixes remote hacking flaw in Windows Malware Protection Engine

Microsoft fixes remote hacking flaw in Windows Malware Protection Engine

12 May 2017

'The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file, ' Microsoft explains in its advisory notice. It lets hackers booby trap files with malicious code that is automatically executed when Microsoft's anti-malware software scans the data.

After the quick fix Mr Ormandy responded by saying he was "blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos".

Last month Microsoft released the Creators Update for Windows 10 and although not all users have been offered the updated version of the OS on Windows Update many did manually install it so this month's Patch Tuesday will move their current PC build forward to 15063.296 from 15063.250.

"The core component of MsMpEng responsible for scanning and analysis is called mpengine". If you've tinkered with the settings to prevent these automatic updates, however, you should install this patch to make sure an attacker can't exploit this now-public vulnerability on your system. Tavis Ormandy said that he and Natalie Silvanovich had discovered "the worst Windows remote code exec in recent memory". The engine is used by Windows Defender, the malware scanner preinstalled on Windows 7 and later, as well as by other Microsoft consumer and enterprise security products: Microsoft Security Essentials, Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center Endpoint Protection and Windows Intune Endpoint Protection.

The pair discovered that, NScript, the engine's JavaScript interpreter, doesn't properly validate the properties of messages it scans.

The blockbuster update, which includes a brand-new version of Microsoft Paint, was gradually pushed-out to users worldwide - a precautionary measure to ease the strain on Microsoft's servers. "This is as surprising as it sounds". Once those scans occur, the file then exploits this vulnerability to compromise and take over the targeted system.

Attackers can exploit this vulnerability through a number of avenues aside from email attachments, including links to sites hosting an exploit sent via email or any instant messenger.