Microsoft released an out-of-band security update Monday for the Microsoft Malware Protection Engine.
The patch plugs an easily exploitable bug that could allow remote attackers to compromise Windows systems.
An attacker could leverage the vulnerability to execute arbitrary code in the LocalSystem account.
That move could allow an attacker to take control of the target system, install programs, view, change, or delete data, and create new accounts with full user rights.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.” Microsoft said in an advisory.
Microsoft Malware Protection Engine is in multiple versions of the anti-malware software:
• Windows Defender for Windows 7, 8.1, RT 8.1, 10, 10 1511, 10 1607, 1703, and Windows Server 2016
• Microsoft Security Essentials
• Windows Intune Endpoint Protection
• Microsoft System Center Endpoint Protection
• Microsoft Endpoint Protection
• Microsoft Forefront Endpoint Protection 2010
• Microsoft Forefront Security for SharePoint Service Pack 3
These installations will receive and implement the security update seamlessly.
“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating,” researchers said in the advisory.
“Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.”
Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich discovered the vulnerability and informed Microsoft Friday. By Monday, the fix was in.
The company acknowledged Ormandy’s and Silvanovich’s responsible disclosure, and said they have “not received any information to indicate that this vulnerability had been publicly used to attack customers when this security advisory was originally issued (on Monday evening).”