Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner

Make sure you get this Microsoft update asap.

Microsoft’s own antivirus software made Windows 7, 8.1, RT and 10 computers, as well as Windows Server 2016 more vulnerable.

Microsoft has just released an out-of-band security update to patch the crazy bad bug discovered by a pair of Google Project Zero researchers over the weekend.

Security researchers Tavis Ormandy announced on Twitter during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered “the worst Windows remote code [execution vulnerability] in recent memory.”

Natalie Silvanovich also published a proof-of-concept (PoC) exploit code that fits in a single tweet.

The reported RCE vulnerability, according to the duo, could work against default installations with “wormable” ability – capability to replicate itself on an infected computer and then spread to other PCs automatically.

According to an advisory released by Microsoft, the remotely exploitable security flaw (CVE-2017-0290) exists in Microsoft Malware Protection Engine (MMPE) – the company’s own antivirus engine that could be used to fully compromise Windows PCs without any user interaction.

Source: Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner