Microsoft has released fixes for two critical flaws in its Windows Defender product which could allow attackers to completely take control of a targeted system.
CVE-2017-11937 and CVE-2017-11940 are remote code execution (RCE) vulnerabilities that exist when the Microsoft Malware Protection Engine (MMPE) doesn’t properly scan a specially crafted file, leading to memory corruption.
A remote attacker could therefore use a specially crafted file to execute arbitrary code, leading to a full system compromise. The file could be emailed, IM’d or delivered via a compromised website, the alert noted.
As the engine automatically scans files in real-time, the bugs could be easily exploited.
The updates fix the vulnerabilities by correcting the way in which the Microsoft Malware Protection Engine scans specially crafted files.
The software flaws affect Windows Defender on all supported Windows PC and server platforms, as well as Microsoft Endpoint Protection, Windows Intune Endpoint Protection, Security Essentials, Forefront Endpoint Protection and Exchange Server 2013 and 2016.
Fortunately, the vulnerabilities are not thought to have been publicly disclosed or exploited in the wild.
Most enterprise admins will not need to take any further action as the updates will be automatically deployed.
Interestingly the bugs were reported by the National Cyber Security Centre (NCSC), part of UK spy agency GCHQ.
It’s a nice bit of PR for NCSC given its role is to educate the populace and protect UK consumers and businesses from critical cyber-threats to essential services.
The organization has been an increasingly vocal presence in the news of late, warning government agencies earlier this month to effectively ban Russian AV for any networks processing information classified “secret” or above.
Several other critical MMPE bugs have already been discovered this year allowing remote code execution by hackers.