On Wednesday, Microsoft started rolling out an update to all Windows products that rely on the Malware Protection Engine for security scans.
The update brings a security bugfix for a bug discovered by the UK National Cyber Security Centre (NCSC), a branch of the UK Government Communications Headquarters (GCHQ), the country’s official intelligence and security agency.
Critical MMPE bug allows remote code execution
Microsoft says the bug —tracked as CVE-2017-11937— is rated “Critical” in terms of severity and allows remote code execution on vulnerable products.
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this flaw, an attacker must first craft a malformed file and send it to a remote computer, via email, inside IM messages, as part of a website’s code when the user accesses the site, or place it in other locations that are scanned by the Microsoft Malware Protection Engine by default.
The Microsoft Malware Protection Engine is designed to scan files in real time automatically, leading to immediate and easy exploitation of the vulnerability.
The Malware Protection Engine is included with products such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection,…