Skip to content ↓ | Skip to navigation ↓

Microsoft has released an emergency patch for a “critical” remote code execution (RCE) vulnerability affecting its Malware Protection Engine.

On 8 May, the Redmond-based technology giant issued a security advisory addressing CVE-2017-0290. The flaw causes the Microsoft Malware Protection Engine to not scan a specially crafted file properly. It affects NScript, a component found in Microsoft’s anti-malware service which specifically evaluates the filesystem and network activity that looks like JavaScript.

To exploit the vulnerability, attackers need to first send users a specially crafted file. They can accomplish this preliminary attack via tricking a user into visiting a website hosting the file, sending over the file via email or instant message, and uploading the file to a shared location. Their mission is to cause the Microsoft Malware Protection Engine, which is found in Windows Defender, Microsoft Security Essentials, and other software, to scan the file either automatically or at a scheduled time.

Microsoft’s security alert explains what happens if the malware engine scans the specially crafted file:

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Bad actors could also use specially crafted JavaScript code to cause a denial of service condition, thereby causing the application to crash.

Tavis Ormandy, a security researcher at Google Project Zero who’s made a name for himself uncovering flaws in anti-virus software, first discovered the vulnerability along with his colleague Natalie Silvanovich on 5 May.

The duo published a report on CVE-2017-0290 a day later. That very same day, Microsoft’s researchers reached out to Ormandy and Silvanovich and confirmed they had reproduced the vulnerability on their end and said they were working on a fix. The update arrived two days later.

Ormandy credited Microsoft for its quick response time on Twitter:

Administrators should view Microsoft’s security advisory for a list of vulnerable software. If they are running a potentially affected product, they should verify the version of its Microsoft Malware Protection Engine and confirm the service is automatically downloading definition updates. As long as automatic updates are enabled, the software will receive the patch within 48 hours.

It is possible to install the update manually, however. For more information on how to manually process the fix, please click here.