On Wednesday, Microsoft announced an emergency security patch, CVE-2017-11937, that addresses a remote code execution bug in its malware protection engine, mpengine.dll. According to Microsoft, “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The company added, “For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
Affected Microsoft Products include:
- Windows Defender in Windows 7, Windows 8.1, Windows 10,
- Microsoft Security Essentials
- Endpoint Protection
- Forefront Endpoint Protection
- Exchange Server 2013 and 2016
It is important to note that WinXP may also be affected, but is no longer supported by Microsoft and thus, no fix is being distributed for this version of the operating system.
Because of the severity of the vulnerability, Microsoft did not use Windows Update, electing instead to automatically deliver an updated version of mpengine.dll, regardless of whether Windows Updates was turned on or not.
This is the latest issue to plague Microsoft’s malware protection engine and has cybersecurity experts revisiting earlier criticism that Microsoft didn’t sandbox Windows Defender. This is a common practice to isolate specific software from the rest of the computer, thereby minimizing the probability that a critical vulnerability, such as this one, could affect the entire operating system.
Microsoft can thank the U.K. National Cyber Security Centre intelligence agency for the discovery of this vulnerability. To date, there are no known exploits, and applying the patch as quickly as possible is the best way to eliminate the threat.