There was a certain amount of panic when Google’s Project Zero researchers announced a serious zero-day exploit in Windows this weekend. The project’s Tavis Ormandy and Natasha Silvanovich reported “the worst remote code exec in recent memory.”
Of course, the discovery of an exploit by Google also starts a countdown timer. In a bid to encourage rapid fixes, the team promises to publish flaws ninety days after the developer is notified.
There was some concern, then, about Microsoft’s ability to patch it in time. Thankfully, the tech giant was able to remedy the issue in just two days. Now that it’s fixed, we’re privy to a few more details.
Just released malware protection engine update to
address RCE vuln – Defender will autoupdate. https://t.co/rzn5QWo6sV
— Security Response (@msftsecresponse) May 9, 2017
Windows Defender Exploit
According to Google, the vulnerability was in Windows Defender. Specifically, its anti-malware portion, MsMPEng. The engine could be tricked into executing code from a web page, email, or message. What’s more, malware can then be spread to other systems on the local network.
“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” said Ormandy.
MsMpEngine runs on a number of platforms, including Windows 10, 8, 8.1 and Windows Server 2016. In the latest versions of 10 and 8.1, the exploit is mitigated somewhat by Control Flow Guard.
However, there’s no denying that this is a critical vulnerability. The tagline of “worst remote code exploit in recent memory” may actually fit.
Of course, Microsoft is taking it very seriously and has released a security advisory of its own. It’s rolling out an automatic update to the malware protection engine and encourages admins to “follow their established internal processes to ensure that the definition and engine updates are approved in their update management software.”
The patch should apply itself within 48 hours, but if you can’t wait then a manual update is possible. If your malware protection engine is version 1.1.13701.0, refer to this knowledgebase article.