Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines.
A particularly nasty security flaw exists in Redmond’s anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. All are, at this moment, at risk. It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012.
It is possible for hackers to craft files that are booby-trapped with malicious code, and this nasty payload is executed inadvertently and automatically by the scanner while inspecting messages, downloads and other files. The injected code runs with administrative privileges, allowing it to gain full control of the system, install spyware, steal files, and so on.
In other words, while Microsoft’s scanner is silently searching your incoming email for malware, it can be tricked into running and installing the very sort of software nasty it’s supposed to catch and kill.
On Monday night, in an emergency update, Microsoft fixed the vulnerability in its security packages. This upgrade will be automatically fetched and installed by the scanner engine on your machines, quietly closing the embarrassing security hole over the next two days.
“The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file,” explained Redmond’s security team.
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”
The programming blunder – CVE-2017-0290 – was discovered and reported to Redmond by Google Project Zero’s Natalie Silvanovich and Tavis Ormandy. The latter described the bug as “the worst Windows remote code [execution] in recent memory. This is crazy bad.”
Ahead of tonight’s drama, Ormandy tweeted about the bug’s existence on Friday evening, and, understandably, gave no further details because at the time there was no patch yet available: