icetray - Fotolia

Emergency Microsoft patch out for Malware Protection Engine

A critical vulnerability found in the Windows Malware Protection Engine required an emergency Microsoft patch, but one expert said Microsoft hasn't handled the announcement well.

Just four days before the final Patch Tuesday of 2017, an emergency Microsoft patch was pushed out for a critical antimalware flaw.

The vulnerability in the Windows Malware Protection Engine (CVE-2017-11937) was first discovered by the U.K. National Cyber Security Centre, and it can affect systems running Windows 7, 8.1 and 10, as well as Windows Server 2016. A similar flaw was found in June by Tavis Ormandy, security researcher for Google's Project Zero.

According to the security advisory, the emergency Microsoft patch addresses a critical remote code execution vulnerability that can be exploited if a malicious actor gets the Malware Protection Engine to scan a specially crafted file.

Microsoft noted this could happen automatically if the malicious file is delivered to a system with real-time scanning turned on, and it could allow an attacker to "execute arbitrary code in the security context of the LocalSystem account and take control of the system ... then install programs; view, change, or delete data; or create new accounts with full user rights."

However, the emergency Microsoft patch should be automatically installed "within 48 hours of release," according to the advisory.

Michael Patterson, CEO of Plixer International Inc., a network traffic analysis company based in Kennebunk, Maine, said "although most consumers already have the necessary patch, this is no time to become overly confident in existing security defensive measures."

"Malware will make it into every organization connected to the internet. This means all companies need to prepare for the inevitable breach," Patterson told SearchSecurity. "When this happens, incident response systems need to have been rehearsed, and the data necessary for network traffic analytics needs to have been collected. An archive of logs and flows is a critical source of forensic data when odd traffic patterns need to be investigated." 

Antimalware software is one of the most critical pieces of software on a modern desktop and also one of the most valuable targets for an attacker.
Tyler Regulymanager of the Vulnerability and Exposure Research Team, Tripwire

Tyler Reguly, manager of the Vulnerability and Exposure Research Team at Tripwire in Portland, Ore., said it was nice to see the emergency Microsoft patch released so quickly, but he said Microsoft also appears to be deprioritizing customer communication with these security releases.

"Antimalware software is one of the most critical pieces of software on a modern desktop and also one of the most valuable targets for an attacker, especially products that have automated scanning of new files enabled. Most vendors will be plagued with issues like this from time to time, and it shouldn't scare people away from using the product. But, rather, they should feel hopeful that Microsoft released the [out-of-band patch] to ensure quicker protection for their customer," Reguly told SearchSecurity.

However, Reguly added, "the update has been available for nearly 48 hours, but the security guidance page still does not have links to an advisory, bulletin or KB [knowledge base] article. The details have been published, but they are not available via the link that Microsoft provided in their own notification email; you need to know the format of their URLs to build it yourself."

Dig Deeper on Application and platform security