Microsoft Releases Out of Band Patch for Vulnerability in Malware Protection Engine

This issue affects the Malware Protection Engine in multiple versions of Microsoft's antimalware security software and all users, IT Pros, and System Admins should verify their software is up to date.

Richard Hay, Senior Content Producer

May 9, 2017

4 Min Read
Microsoft Releases Out of Band Patch for Vulnerability in Malware Protection Engine

Microsoft has issued an Out of Band (OOB) update for the Malware Protection Engine in all of its current versions of antimalware software.

They say Windows as a Service (WaaS) is part of an agile development process and it certainly appears that agility was used to address this security concern in Microsoft's Malware Protection Engine that is used across all of its antimalware security software offerings.

This vulnerability was discovered this past weekend and, according to reports by those who discovered it, it was a serious threat with these characteristics:

-- The vulnerability they claimed to have discovered works against default Windows installations.

-- The attacker does not need to be on the same local area network (LAN) as the victim, which means vulnerable Windows computers can be hacked remotely.

-- The attack is "wormable," capability to spread itself.

Microsoft's security team obviously agreed with the serious nature of this threat and within less than about 48 hours they have issued an update to the Malware Protection Engine in consumer and enterprise versions of their antimalware software.

Here is a list of the versions that are at risk if they do not receive this update:

-- Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10 (Versions 1511, 1607, 1703)
-- Windows Server 2016
-- Microsoft Security Essentials
-- Microsoft Forefront Endpoint Protection 2010
-- Microsoft Endpoint Protection
-- Microsoft System Center Endpoint Protection
-- Microsoft Forefront Security for SharePoint Service Pack 3
-- Windows Intune Endpoint Protection

I find it interesting that Microsoft does not list Windows 10 Version 1507 on this list as vulnerable. Right now that version of the OS is still under support through today's Patch Tuesday releases. I have no reason to believe that its Malware Protection Engine is vulnerable t5o the same exact issue if left unpatched. Maybe this update is going out to those users still on Version 1507 and it was just omitted by accident.

If you want to get an idea about how this could have been exploited here is part of Microsoft's explanation about how this vulnerability could be used:

"To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.

If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk."

I checked both of the systems I am traveling with this morning, Surface Book with Windows 10 Version 1703 and an HP Spectre x360 running Redstone 3 Build 16188, and each of them update the Malware Protection Engine to version Version 1.1.13704.0 over night while in connected standby.

No action is required by end users or system admins to get this update so if your system is connected then it should have updated but you can verify it is on Version 1.1.13704.0 by opening the Windows Defender Security Center (or the other software listed in the chart above), selecting the settings icon in the lower left corner of the app, select the About link on the right hand side of the app window and making sure your Engine version at least matches or is higher that what is shown in the above screenshot.


But, wait...there's probably more so be sure to follow me on Twitter and Google+.

Read more about:


About the Author(s)

Richard Hay

Senior Content Producer, IT Pro Today (Informa Tech)

I served for 29 plus years in the U.S. Navy and retired as a Master Chief Petty Officer in November 2011. My work background in the Navy was telecommunications related so my hobby of computers fit well with what I did for the Navy. I consider myself a tech geek and enjoy most things in that arena.

My first website – – came online in 1995. Back then I used GeoCities Web Hosting for it and is the result of the work I have done on that site since 1995.

In January 2010 my community contributions were recognized by Microsoft when I received my first Most Valuable Professional (MVP) Award for the Windows Operating System. Since then I have been renewed as a Microsoft MVP each subsequent year since that initial award. I am also a member of the inaugural group of Windows Insider MVPs which began in 2016.

I previously hosted the Observed Tech PODCAST for 10 years and 317 episodes and now host a new podcast called Faith, Tech, and Space. 

I began contributing to Penton Technology websites in January 2015 and in April 2017 I was hired as the Senior Content Producer for Penton Technology which is now Informa Tech. In that role, I contribute to ITPro Today and cover operating systems, enterprise technology, and productivity.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like