A massive and rather embarrassing remote code execution vulnerability has been discovered in Microsoft’s MsMpEng, the malware protection engine used by Windows Defender, Microsoft Security Essentials, Microsoft Forefront, and Microsoft Endpoint in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016). Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs.
The exploit (officially dubbed CVE-2017-0290) allows for a remote attacker to take over a system without any interaction from the system owner: it’s simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft’s malware protection engine—websites, file shares—could be used as an attack vector.
Because MsMpEng runs at the highest privilege level and is so ubiquitous across Windows PCs, this vulnerability is about as bad as it gets. Fortunately, the security researchers who discovered it—Natalie Silvanovich and Tavis Ormandy of Google Project Zero—reported it responsibly, and last night Microsoft released a patch. MsMpEng automatically updates every 48 hours, so disaster has probably been averted. The security bulletin notes that Microsoft hadn’t seen any public exploitation of the vulnerability.