On Wednesday, Microsoft started rolling out an update to all Windows products that rely on the Malware Protection Engine for security scans.
The update brings a security bugfix for a bug discovered by the UK National Cyber Security Centre (NCSC), a branch of the UK Government Communications Headquarters (GCHQ), the country's official intelligence and security agency.
Microsoft says the bug —tracked as CVE-2017-11937— is rated "Critical" in terms of severity and allows remote code execution on vulnerable products.
To exploit this flaw, an attacker must first craft a malformed file and send it to a remote computer, via email, inside IM messages, as part of a website's code when the user accesses the site, or place it in other locations that are scanned by the Microsoft Malware Protection Engine by default.
The Microsoft Malware Protection Engine is designed to scan files in real time automatically, leading to immediate and easy exploitation of the vulnerability.
The Malware Protection Engine is included with products such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, and Windows Intune Endpoint Protection — on all currently supported Windows versions, which are Windows 7 and later.
Microsoft patched this bug in the Microsoft Malware Protection Engine version 1.1.14405.2.
The good news is that Microsoft has specifically designed a self-update mechanism for this component. This means that most users have already silently received this update unless they have opted to block MMPE updates by tweaking registry keys or via group policies.
In this case, users should take note of this critical MMPE update and allow the component to upgrade.
This is not the only critical-level fix the MMPE component received this year. There have been three other similar bugs this year alone that would have allowed attackers to remotely execute code on Windows workstations running outdated MMPE components [1, 2, 3].