On Friday, Microsoft released an out-of-band security update to fix several issues with the Malware Protection Engine discovered by Google's Project Zero team.
The issues are detailed in Project Zero bug reports here, here, and here. They have also been added in Microsoft's Security Guide as CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8538, CVE-2017-8539, CVE-2017-8540, CVE-2017-8541, and CVE-2017-8542.
Five of the eight are basic denial of service (DoS) flaws that crash the Malware Protection Engine (mpengine.dll) or prevent it from doing its job.
Three are remote code execution (RCE) flaws, which are very dangerous as they allow an attacker to execute code on the user's machine. Because this code is executed in the context of the Microsoft Malware Protection Engine service, the attack code runs with SYSTEM-level privileges.
All eight issues have been fixed with the release of the Microsoft Malware Protection Engine version 1.1.13804.0.
Unless users have specifically tinkered with Malware Protection Engine settings, there's no user action required to install updates for the Microsoft Malware Protection Engine. The built-in self-update mechanism will update the Malware Protection Engine automatically within the next 48 hours.
Because the Malware Protection Engine is part of several Microsoft products, all of them are affected. The list includes Windows Defender, Exchange Server, Windows Intune Endpoint Protection, Security Essentials, Endpoint Protection, and Forefront Endpoint Protection.
The last time Microsoft issued an out-of-band security update was also for a flaw found in the Microsoft Malware Protection Engine.
That issue was also discovered by the Google Project Zero team, who described it as "crazy bad" and "the worst Windows remote code exec in recent memory." The flaw was patched via an out-of-band security update released on May 8, a day before Microsoft's May Patch Tuesday.
Microsoft's next Patch Tuesday is scheduled for June 13, next week.