Microsoft released an update for its Malware Protection Engine (MPE) to address a critical severity remote code execution (RCE) vulnerability.
The flaw could lead to memory corruption and allow an attacker to execute arbitrary code to take control over a vulnerable machine.
The issue ended up discovered by UK’s National Cyber Security Centre (NCSC).
Because code can end up executed in the security context of the LocalSystem account, the attacker could take control of the system and install programs; view, change, or delete data; or create new accounts with full user rights, Microsoft said in a post.
Exploitation is possible if a specially crafted file is scanned by an affected version of the Microsoft Malware Protection Engine (the last vulnerable version is 1.1.14306.0).
Microsoft Malware Protection Engine version 1.1.14405.2 resolves the vulnerability.
There are multiple ways a bad guy could launch an attack leveraging the bug, Microsoft said in a post.
“If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited,” Microsoft said in a post.
Microsoft said all systems running an affected version of anti-malware software are primarily at risk.
“The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files,” researchers said in a post.
In addition, Microsoft said they have not identified any workarounds for this vulnerability.
The update will be delivered automatically to the affected systems and no action is required of enterprise administrators or end users. The update should reach all impacted software within 48 hours of release.
Applications suffering from the issue include Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server version 1709, Microsoft Exchange Server 2013 and 2016, Microsoft Security Essentials, and Windows Intune Endpoint Protection.