Hours before the scheduled regular bundle of patch was to be released, Microsoft rushed for a critical update for the Microsoft Malware Protection Engine fixing a serious security hole which could allow remote code execution if one of Microsoft’s anti-virus products scanned a boobytrapped file.
Redmond’s anti-malware software packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection.
If the patch wouldn’t have been released, it could have affected Microsoft security products and the attacker could seize control of a victim’s PC, by abusing it to install malware on vulnerable machines through mail, instant message or a web browser link using the antivirus engine against Windows users. The risk is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012.
The vulnerability was discovered by Google Project Zero researchers, Tavis Ormandy and Natalie Silvanovich on May 06 and was serious enough for Microsoft to create and release a patch by Monday (May 08). This was an unusually fast response for the company, which typically releases security updates on the second Tuesday of every month and rarely breaks out of that cycle.
In a tweet, Ormandy described the flaw as “the worst Windows remote code exec in recent memory. This is crazy bad… Attack works against a default install, don’t need to be on the same LAN, and it’s wormable.”
Users are advised to check the Microsoft Malware Protection Engine version used in their products is 1.1.10701.0 or later. Propagation of the fix to products that are configured to for automatic updates can take up to 48 hours, but users can also trigger a manual update.
“Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions,” Microsoft said in its advisory. “Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.”