Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

By Shaun Nichols in San Francisco

Posted in Software, 7th December 2017 21:28 GMT

Microsoft has posted an out-of-band security update to address a remote code execution flaw in its Malware Protection Engine.

Redmond says the flaw, dubbed CVE-2017-11937, has not yet been exploited in the wild. Because it is an out-of-band critical fix, however, it should be installed as soon as possible. For most users, this will happen automatically.

The security hole is present in Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016.

The bug was discovered and reported by the UK's National Cyber Security Centre – which is part of GCHQ, Blighty's spying nerve center.

According to Microsoft, the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats. In many systems this is set to happen automatically for all new files.

By exploiting a memory corruption error in the malware scanning tool, the attack file would be able to execute code on the target machine with LocalSystem privileges.

Windows Update borks elderly printers in typical Patch Tuesday style

READ MORE

"There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user," Microsoft explains.

"An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server."

Microsoft notes that, because Malware Protection Engine is set up to constantly receive updates, the fix will automatically be delivered over the air for most home users and many enterprise customers.

The out-of-band update comes just days before Microsoft is scheduled to post its December security updates with the December 12 Patch Tuesday release. Adobe typically follows suit with its own monthly patches on that day. ®

Sign up to our NewsletterGet IT in your inbox daily

38 Comments

More from The Register

Oracle nemesis MariaDB tries to lure enterprise folk with TX 3.0

Release adds Big Red compatibility, migration service

Oracle slurps enterprise cloud API wrangler Apiary

Time for REST... and it's only January

Data shepherd Rubrik herds Microsoft, Oracle users towards its Alta

Now talks to Nutanix AHV, Microsoft Hyper-V and Oracle RMAN

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

Oracle-botherer Rimini Street cuddles up to Salesforce

Just as the $50m returned from Big Red court battles lifts profits

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

Oracle whips out the swatter, squishes 254 security bugs in its gear

Java fixes lobbed out, Spectre Solaris patches issued

Hurry up patching those Oracle bugs: Attackers aren't waiting

Honeypots swarmed on within three hours of patch release

Oracle pledges annual Solaris updates for you to install each summer

And a plan to have users of Sun hardware upgrade if they want Solaris 11.4 and proper patches

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept