According to Project Zero researcher Tavis Ormandy, vulnerabilities found in Microsoft Malware Protection Engine are typically "among the most severe possible in Windows."
According to Project Zero researcher Tavis Ormandy, vulnerabilities found in Microsoft Malware Protection Engine are typically "among the most severe possible in Windows."

Microsoft Corporation has swiftly patched a critical bug its Microsoft Malware Protection Engine that one researcher who discovered it referred to as the "worst Windows remote code [execution vulnerability] in recent memory."

The flaw, designated CVE-2017-0290, causes the engine to improperly scan malicious crafted files, which can lead to an exploitable memory corruption. "An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," Microsoft warned in a security advisory on Monday. At that point, the attacker can "install programs; view, change, or delete data; or create new accounts with full user rights," the advisory continues.

Discovery of the flaw is credited to Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy, the latter of whom tweeted that the bug was potentially the worst in recent memory, because the vulnerable Microsoft engine is typically enabled by default, because the attack can easily be turned into a network worm, and because specially crafted files need only be scanned – not even opened – to infect a victim. In a detailed report about the vulnerability on Saturday, May 6, Ormandy noted that vulnerabilities found in Microsoft Malware Protection Engine are typically "among the most severe possible in Windows."

Ormandy praised Microsoft for rapidly responding to the researchers' initial disclosure by automatically updating the Microsoft Malware Protection Engine in supported operating systems with an emergency patch, prior to its usual Patch Tuesday release. In a corresponding advisory on May 8, Microsoft advised customers to verify that their anti-malware products are now using version 1.1.10701.0 or later of the engine, as well as the most up-to-date malware definitions.

The Microsoft anti-malware software programs found to be affected by the vulnerability are as follows: Microsoft Forefront Endpoint Protection 2010; Microsoft Endpoint Protection; Microsoft Forefront Security for SharePoint Service Pack 3; Microsoft System Center Endpoint Protection; Microsoft Security Essentials; Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016 and Windows 10 1703; and Windows Intune Endpoint Protection. "Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security advisory was originally issued," the company claimed in its advisory.

There are a variety of methods through which an adversary could deliver a specially file to exploit this now-patched engine flaw, including via emails, instant messages and links in a web browser. An attacker could even potentially compromise multiple machines by uploading specially crafted files to the servers of websites that host shared, user-provided content, Microsoft disclosed.