Microsoft has released an emergency patch for a “critical” remote code execution (RCE) vulnerability affecting its Malware Protection Engine.
To exploit the vulnerability, attackers need to first send users a specially crafted file. They can accomplish this preliminary attack via tricking a user into visiting a website hosting the file, sending over the file via email or instant message, and uploading the file to a shared location. Their mission is to cause the Microsoft Malware Protection Engine, which is found in Windows Defender, Microsoft Security Essentials, and other software, to scan the file either automatically or at a scheduled time.
Microsoft’s security alert explains what happens if the malware engine scans the specially crafted file:
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Tavis Ormandy, a security researcher at Google Project Zero who’s made a name for himself uncovering flaws in anti-virus software, first discovered the vulnerability along with his colleague Natalie Silvanovich on 5 May.
The duo published a report on CVE-2017-0290 a day later. That very same day, Microsoft’s researchers reached out to Ormandy and Silvanovich and confirmed they had reproduced the vulnerability on their end and said they were working on a fix. The update arrived two days later.
Ormandy credited Microsoft for its quick response time on Twitter:
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.
— Tavis Ormandy (@taviso) May 9, 2017
Administrators should view Microsoft’s security advisory for a list of vulnerable software. If they are running a potentially affected product, they should verify the version of its Microsoft Malware Protection Engine and confirm the service is automatically downloading definition updates. As long as automatic updates are enabled, the software will receive the patch within 48 hours.
It is possible to install the update manually, however. For more information on how to manually process the fix, please click here.