Video: When it comes to malware, Windows 10 is twice as secure as Windows 7
Microsoft has rolled-out security updates to fix a critical remote code execution flaw affecting Windows Defender and other anti-malware products.
Ahead of April's Patch Tuesday, Microsoft has released patches for the critical flaw, which affects Microsoft Malware Protection Engine, or mpengine.dll, the core of Windows Defender in Windows 10.
"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," warns Microsoft.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Google Project Zero researcher Thomas Dullien, aka Halvar Flake, discovered that attackers can trigger a memory-corruption issue in the engine if they can get Windows Defender and other affected security products to scan a specially-crafted file.
Microsoft warns there are many ways an attacker could achieve this, including placing the file on a website, in an email or instant message, on any site that hosts files, or in a shared directory.
As with similar vulnerabilities reported last year by the UK's National Cyber Security Centre (NCSC) and Project Zero, an attack would be instant if the affected antivirus has real-time protection enabled.
"If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned," Microsoft notes.
"If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs for the vulnerability to be exploited. All systems running an affected version of anti-malware software are primarily at risk."
Although the patch is being released before Microsoft's monthly security update, the bug, CVE2018-0986, is not an out-of-band patch as Microsoft updates the engine as needed.
Admins and end-users typically won't need to take action for the updates to install, due to built-in tools for deploying updates to the affected products, which also include Microsoft Security Essentials, and Forefront Endpoint Protection 2010, Microsoft Exchange Server 2013 and 2016, as well as Windows Intune Endpoint Protection.
Windows Defender for all supported versions of Windows and Windows Server are affected.
End-users should receive the fixed version of the Microsoft Malware Protection within 48 hours, according to Microsoft. The vulnerable version 1.1.14600.4 will be updated to version 1.1.14700.5.
Microsoft also notes that the default configuration for Microsoft's anti-malware products in the enterprise is to automatically receive updates.
Previous and related coverage
Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.
Microsoft has addressed a USB and onboard device bug it introduced in its February security update.
The volume of malware seen on Windows 10 devices is far lower than on Windows 7 machines, according to one security firm.
For the second time in a week, Google reveals another unpatched Windows 10 vulnerability.
The Windows 10 interface that allows apps to connect to antivirus software is truncating files, causing compromised code to come back clean.