UPDATED 22:25 EDT / APRIL 04 2018

INFRA

Microsoft rushes out patch for critical Windows Defender vulnerability

For the second month in a row, Microsoft Corp. has released a security-related patch ahead of its traditional “Patch Tuesday” release, addressing a critical vulnerability in its Windows Defender security software.

The patch released by Microsoft today directly addresses a vulnerability called CVE2018-0986. It affects the Microsoft Malware Protection Engine, a core component of Windows Defender that is also used by Microsoft Security Essentials, Microsoft Forefront EndPoint Protection 2010, Microsoft Exchange Server 2013 and 2016 and Windows Intune Endpoint Protection.

The vulnerability was described by Microsoft as a remote code execution vulnerability where the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. Using the vulnerability, attackers could execute arbitrary code in the security context of the LocalSystem account and take control of a targeted system, allowing them to install programs, edit or delete data and create new accounts.

Adding why the vulnerability was rated as “critical,” Microsoft said that there are many ways that a specially crafted file could be used to take over a system and that a file could be delivered by a website, email, or messaging. “If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited,” Microsoft added. “All systems running an affected version of antimalware software are primarily at risk.”

For users of the affected versions, the good news is that no action is required because the software itself will automatically apply the updates, which will be rolled out over the next 48 hours.

The cause of the vulnerability is being credited to Microsoft using a forked version of the open-source compression software UnRAR in its Malware Protection Engine and subsequently creating issues within it. Calling it a “fork-and-bork,” The Register reported that the code was modified so that all signed integer variables were converted to unsigned variables, causing so-called knock-on problems with mathematical comparisons. In turn, that is said to have left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to execute.

Image: Microsoft

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU