Microsoft plugs critical remote exploit in anti-malware

Microsoft has been forced to scramble after researchers discovered a serious, remotely exploitable security hole in its anti-malware products that could be used to fully compromise systems without user interaction.

The flaw, CVE-2017-0290, exists because the Microsoft Malware Protection Engine doesn't properly scan files, which could lead to memory corruption on computer systems, the company said in an advisory.

Attackers could exploit the flaw in several ways given Microsoft’s security software automatically scans files received on computers in real time.

And as the MMPE software and associated processes run at the elevated LocalSystem privilege level, a successful attack could lead to full remote system compromise, Microsoft warned.

Microsoft has patched the flaw and is currently rolling out updates after being alerted to the issue by Google Project Zero team members Natalie Silvanovich and Tavis Ormandy.

Ormandy termed the flaw "the worst in recent memory".

The pair noted the vulnerability could be exploited through sending emails, luring targets to websites that deliver malicious files, as well as instant messaging and other methods.

Microsoft took just three days to fix the remote code execution flaw. It said there was no evidence it has been exploited by attackers.

The company's enterprise security products such as Forefront Endpoint Protection, Endpoint Protection, Forefront Security for SharePoint, Security Essentials, and Intune Endpoint Protection have been updated to fix the flaw.

The vulnerability also affects Microsoft’s Defender security software on Windows 7, 8.1, RT 8.1, and Windows 10, as well as Windows Server 2016.

The vulnerable version of MMPE is 1.1.13701.0, and the first with the fix implemented is 1.1.13704.0.

Users don’t have to take any action if their security products are set to the default, which will update their engines and definitions automatically, Microsoft said.