Microsoft warned that the vulnerability could allow attackers to execute arbitrary code and take control of a system.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A flaw in Microsoft's Malware Protection Engine makes it possible for an attacker to gain control of a machine whenever the target's antivirus software scans a malicious file.
- Microsoft has patched the security hole that makes the attack possible. Windows users should be sure their MMPE is updated to the latest version as soon as possible.
Microsoft has released an update to its Microsoft Malware Protection Engine (MMPE) to guard against a remote execution attack that could cause memory corruption and hand full system control over to a remote attacker.
The attack, which Microsoft said hasn't been exploited yet, affects all currently supported versions of Windows and Windows Server. Systems configured to install updates automatically don't require any action—the update should be installed within 48 hours of Microsoft releasing it, which it did on April 3, 2018.
Microsoft says that the attack is less likely to be exploited, but anyone who relies on built-in Windows anti-malware should be sure their systems are updated as soon as possible. As with other popular security exploits, having been patched doesn't stop hackers from writing code to target them.
How the attack works
Microsoft has been mum on the specifics of the attack, only explaining it in the most general of generalizations.
The attack is simple in principle and relies on an attacker exploiting the MMPE's improper scanning of certain specially crafted files (no additional details on file type are given). An MMPE scan of the malicious file results in memory corruption that allows an attacker to execute code remotely on the affected machine.
SEE: Securing Windows policy (Tech Pro Research)
Successful attackers gain, in essence, total control over the victim computer. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.
As with other remote execution exploits, the trick is getting the affected file onto the target computer. There are no new tricks here, at least according to Microsoft: An attacker could use a compromised website to deliver the file, send it as an email/messaging attachment, or place the file on a cloud drive, which Microsoft says could cause the host server to become affected.
To make matters worse, anti-malware software that uses MMPE and has real-time protection turned on will scan malicious files automatically, resulting in instant infection, according to Microsoft.
Another exploit, another warning
Windows users and administrators should be sure their systems are updated to the latest MMPE version, 1.1.14700.5. Microsoft's anti-malware software defaults to automatically download updates, so the average user should be safe.
If your network configuration blocks updates until approved it's essential to speed this one along. The alternative, as we've seen many times before, is a future attack that could have easily been prevented.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- These five programming languages have flaws that expose apps to attack (ZDNet)
- Windows security: New Microsoft dashboard shows PCs at risk from Meltdown-Spectre (TechRepublic)
- Your website is under constant attack (ZDNet)
- Report: The IT response to WannaCry (TechRepublic)