Microsoft on Monday patched a severe code-execution vulnerability in the malware protection engine that is used in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016), just three days after it came to its attention. Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs.
The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it's simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft's malware protection engine—websites, file shares—could be used as an attack vector. Tavis Ormandy, one of the Google Project Zero researchers who discovered the flaw, warned that exploits were "wormable," meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.
Microsoft's speed in issuing an automatic patch was impressive. Word of the critical flaw first surfaced in a Friday night series of tweets by Ormandy. He called it "the worst Windows remote code exec in recent memory" and warned that an attacks "work against a default install, don't need to be on the same LAN, and it's wormable." Most security experts assumed Microsoft would require several weeks to patch it. To their surprise, Microsoft pushed out the patch Monday evening.
Because MsMpEng runs at the highest privilege level and is so ubiquitous across Windows PCs, this vulnerability is about as bad as it gets. Fortunately, the security researchers who discovered it—Natalie Silvanovich and Ormandy both with Google Project Zero—privately reported technical details, and last night Microsoft announced the patch. MsMpEng automatically updates every 48 hours, so disaster has probably been averted. The security bulletin notes that Microsoft hadn't seen any public exploitation of the vulnerability.
Loading comments...
