Microsoft Releases Out of Band Patch for Vulnerability in Malware Protection Engine

Microsoft Releases Out of Band Patch for Vulnerability in Malware Protection Engine

Microsoft has issued an Out of Band (OOB) update for the Malware Protection Engine in all of its current versions of antimalware software.

They say Windows as a Service (WaaS) is part of an agile development process and it certainly appears that agility was used to address this security concern in Microsoft's Malware Protection Engine that is used across all of its antimalware security software offerings.

This vulnerability was discovered this past weekend and, according to reports by those who discovered it, it was a serious threat with these characteristics:

-- The vulnerability they claimed to have discovered works against default Windows installations.

-- The attacker does not need to be on the same local area network (LAN) as the victim, which means vulnerable Windows computers can be hacked remotely.

-- The attack is "wormable," capability to spread itself.

Microsoft's security team obviously agreed with the serious nature of this threat and within less than about 48 hours they have issued an update to the Malware Protection Engine in consumer and enterprise versions of their antimalware software.

Here is a list of the versions that are at risk if they do not receive this update:

-- Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10 (Versions 1511, 1607, 1703)
-- Windows Server 2016
-- Microsoft Security Essentials
-- Microsoft Forefront Endpoint Protection 2010
-- Microsoft Endpoint Protection
-- Microsoft System Center Endpoint Protection
-- Microsoft Forefront Security for SharePoint Service Pack 3
-- Windows Intune Endpoint Protection

I find it interesting that Microsoft does not list Windows 10 Version 1507 on this list as vulnerable. Right now that version of the OS is still under support through today's Patch Tuesday releases. I have no reason to believe that its Malware Protection Engine is vulnerable t5o the same exact issue if left unpatched. Maybe this update is going out to those users still on Version 1507 and it was just omitted by accident.

If you want to get an idea about how this could have been exploited here is part of Microsoft's explanation about how this vulnerability could be used:

"To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.

If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk."

I checked both of the systems I am traveling with this morning, Surface Book with Windows 10 Version 1703 and an HP Spectre x360 running Redstone 3 Build 16188, and each of them update the Malware Protection Engine to version Version 1.1.13704.0 over night while in connected standby.

Windows Defender Security Center About Page

No action is required by end users or system admins to get this update so if your system is connected then it should have updated but you can verify it is on Version 1.1.13704.0 by opening the Windows Defender Security Center (or the other software listed in the chart above), selecting the settings icon in the lower left corner of the app, select the About link on the right hand side of the app window and making sure your Engine version at least matches or is higher that what is shown in the above screenshot.


But, wait...there's probably more so be sure to follow me on Twitter and Google+.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.