Microsoft has rushed out an emergency patch to deal with a “crazy bad” security flaw that allowed hackers to exploit an auto-scan feature to upload malicious files to a machine via email.
The issue was initially flagged three days ago by Natalie Silvanovich and Tavis Ormandy, researchers at Google’s Project Zero, who discovered a bug within Microsoft’s Malware Protection Engine. The service includes a security tool that automatically intercepts communications and scans its contents, which included malicious codes that were uploaded during the process.
This meant that attackers were able to gain remote access to a user’s PC by just sending them an email, whether they opened it or not. Malicious code could also be delivered through a website, or through a file uploaded to a location that is hosting user content, such as cloud storage, where the Protection Engine is able to scan its contents.
Vulnerabilities inside the Microsoft Malware Protection Engine, which is a default security tool for Windows 8 and 10, are considered among the most severe possible, given the privilege escalations and accessibility the exploit provides.
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.
— Tavis Ormandy (@taviso) May 6, 2017
In fact the vulnerability is so severe that Microsoft has warned other security tools are also at risk. Those identified include Windows Defender, Intune Endpoint Protection, Microsoft Security Essentials and Microsoft System Centre Endpoint Protection.
“If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned,” said Microsoft, in an advisory released on Monday.
The latest update, which should download automatically through the Windows updater, “addresses the vulnerability by correcting the manner in which Microsoft Malware Protection Engine scans specially crafted files”.
System administrators will need to ensure their update management software is set to automatically approve Windows engine updates and ensure the new versions of the engine are being downloaded.