Microsoft has patched a critical vulnerability in Windows Defender, Security Essentials and other Microsoft security applications that make use of the Microsoft Malware Protection Engine. The vulnerability allowed an attacker to take control of the system without any user interaction. Serving a specially crafted file from a malicious website, or sending it through email or instant messenger, on a computer where files are automatically scanned with a Microsoft Malware Protection Engine powered product, is sufficient for an attacker to infect a system. Once the scanner opens the specifically crafted file, a memory corruption occurs.
After the memory corruption, an attacker, “could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs;view, change, or delete data; or create new accounts with full user rights,” Microsoft explains.
On systems with real-time protection, the system becomes infected nearly instantly. With real-time protection disabled, the attacker has to wait until a scheduled scan takes place.
The vulnerability exists in versions prior to 1.1.14600.5 of the Microsoft Malware Protection Engine. Systems running the Microsoft Malware Protection Engine are automatically updated to the latest version of the engine.
According to Microsoft the vulnerability is not exploited ‘in the wild’, the software giant also doesn’t expect attackers will try to exploit the vulnerability in the future.