Microsoft patches antimalware engine vulnerability

Summary:A denial of service bug in the engine's JavaScript interpreter could allow an attacker to turn off protection.

Microsoft has issued an update to all their antimalware products to fix a denial of service bug in the engine they share.

The advisory describing the update and vulnerability says that the denial of service is invoked when the engine scans a specially-crafted file. Denial of service bugs are often considered less-serious, but with this one: "[a]n attacker who successfully exploited this vulnerability could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted."

The advisory goes on to say that exploitation might cause the operating system or an application to become permanently unresponsive until manually restarted, or cause an application to quit unexpectedly.

The affected products run on both clients and servers:

  • Microsoft Forefront Client Security
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center 2012 Endpoint Protection
  • Microsoft System Center 2012 Endpoint Protection Service Pack 1
  • Microsoft Malicious Software Removal Tool (May 2014 or earlier versions)
  • Microsoft Security Essentials
  • Microsoft Security Essentials Prerelease
  • Windows Defender for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2
  • Windows Defender for Windows RT and Windows RT 8.1
  • Windows Defender for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
  • Windows Defender Offline
  • Windows Intune Endpoint Protection

The advisory also says that exploit code would be unlikely on current versions of software and "difficult to build" on earlier versions.

Updates to engines are typically deployed automatically, especially on consumer systems, so there is not likely any action that users need to take. </p>

The vulnerability was reported to Microsoft by the prolific Tavis Ormandy of Google Project Zero. Ormandy tweets that the bug is in the engine's Javascript interpreter.

Our initial testing of a Windows XP system running Microsoft Security Essentials showed no update to the product available through Microsoft Update.

Topics: Security, Microsoft


Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.