MMPE updated version

On Wednesday, Microsoft started rolling out an update to all Windows products that rely on the Malware Protection Engine for security scans.

The update brings a security bugfix for a bug discovered by the UK National Cyber Security Centre (NCSC), a branch of the UK Government Communications Headquarters (GCHQ), the country's official intelligence and security agency.

Critical MMPE bug allows remote code execution

Microsoft says the bug —tracked as CVE-2017-11937— is rated "Critical" in terms of severity and allows remote code execution on vulnerable products.

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this flaw, an attacker must first craft a malformed file and send it to a remote computer, via email, inside IM messages, as part of a website's code when the user accesses the site, or place it in other locations that are scanned by the Microsoft Malware Protection Engine by default.

The Microsoft Malware Protection Engine is designed to scan files in real time automatically, leading to immediate and easy exploitation of the vulnerability.

The Malware Protection Engine is included with products such as Windows Defender,  Microsoft Security Essentials, Microsoft Endpoint Protection, and Windows Intune Endpoint Protection — on all currently supported Windows versions, which are Windows 7 and later.

Patched in MMPE v1.1.14405.2

Microsoft patched this bug in the Microsoft Malware Protection Engine version 1.1.14405.2.

The good news is that Microsoft has specifically designed a self-update mechanism for this component. This means that most users have already silently received this update unless they have opted to block MMPE updates by tweaking registry keys or via group policies.

In this case, users should take note of this critical MMPE update and allow the component to upgrade.

This is not the only critical-level fix the MMPE component received this year. There have been three other similar bugs this year alone that would have allowed attackers to remotely execute code on Windows workstations running outdated MMPE components [1, 2, 3].

Related Articles:

Microsoft December 2018 Patch Tuesday Fixes Actively Used Zero-Day Vulnerability

Windows Defender Can Detect Accessibility Tool Backdoors

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Adobe Flash Player Update Released for Remote Code Execution Vulnerability

Microsoft Patches Windows Zero-Day Exploited in Cyber Attacks