On Monday, Microsoft issued a security update for Microsoft Malware Protection Engine in response to reports of a critical remote code execution vulnerability. Google’s Project Zero researchers found the flaw and informed the tech giant over the weekend.
Cyber security experts Tavis Ormandy and Natalie Silvanovich were the ones who discovered the malicious exploit. Team members of Project Zero have also uncovered similar threats in the past on Android and Apple’s iOS.
The security hole was patched in the eve of Microsoft’s Build 2017 conference, which kicks off this Wednesday. At the event, the company will present the latest developments in hardware and software coming over the next few months to users and consumers.
What was the security flaw and how did it affect users?
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. ???
— Tavis Ormandy (@taviso) May 6, 2017
The vulnerability identified by the Project Zero team and patched by Microsoft developer codenamed it CVE-2017-0290. It was deemed a flaw big enough to bypass system platforms like Windows Defender and Windows Security Essentials:
“AN ATTACKER WHO SUCCESSFULLY EXPLOITED THIS VULNERABILITY COULD EXECUTE ARBITRARY CODE IN THE SECURITY CONTEXT OF THE LOCALSYSTEM ACCOUNT AND TAKE CONTROL OF THE SYSTEM.”
Researchers at Project Zero referred to it as “the worst Windows remote code exec in recent memory” because cyber criminals needed only to send a specially crafted file to get into other people’s computers.
The file could be spread via email as an attachment and users did not even have to open the message or download it for it to let hackers infiltrate their systems. It would go unnoticed by all the main Windows security walls due to a flaw in the Microsoft Malware Protection Engine component.
While the engine was supposed to scan files and look for threats, it could also be fooled into executing code attached to an email or embedded on a website. So, in theory, hackers could have used this exploit to take over systems remotely.
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.
— Tavis Ormandy (@taviso) May 9, 2017
How can I know for sure I am protected now?
Microsoft did not mention in its report if it knew about any users affected by this issue, but the Security Response Center was quick to patch the hole over the weekend.
The company releases security updates every week, and they are usually silent, so they install in the background without you needing to restart your computer. That is the case as well with this fix, which takes the antimalware engine on Windows Defender to a new version.
If you want to make sure you are protected, look for Windows Defender under the Update and Security tab in your Settings menu and check the engine version is 1.1.13704.0 or higher. The last version affected by the vulnerability is 1.1.13701.0. You can update manually on that same page if you are still running the outdated version.