Microsoft again patched a critical vulnerability in Windows Defender, Security Essentials, and other security software that allowed an attacker to take over vulnerable Windows computers. The vulnerability was in the Malware Protection Engine. The patch was released last week and is different from a similar vulnerability for which the software giant previously released an emergency patch.
The Malware Protection Engine is used by the built-in virusscanner Windows Defender, but also by other security software from Microsoft, such as Security Essentials, Microsoft Endpoint Protection and Microsoft Forefront Security for SharePoint Service. The software normally runs in the background and continuously scans files and websites.
The vulnerability made it possible for an attacker to execute random code with system privileges by sending an email to the victim. Simply receiving the mail was sufficient to become a victim to the attack, as all received emails are scanned by the Malware Protection Engine.
The vulnerability was discovered by Google security researcher Tavis Ormandy who reported the issue to Microsoft on the 12th of May. Ormandy previously discovered a similar issue in the Malware Protection Engine for which Microsoft released an emergency patch and warning. The new vulnerability was silently patched last Wednesday, according to Ormandy
Ormandy reported on the 25th of May that Microsoft silently rolled out an update. The same day Microsoft published an overview with all vulnerabilities Microsoft patched in the Malware Protection Engine.