Immediately update Windows Defender: Microsoft released an implied update for a vulnerability that allowed remote code execution in the Malware Protection Engine that is used by Windows Defender software, Windows Defender, which is available by default in Windows 10.
It was discovered on May 12 by the well-known Google Zero security researcher, Tavis Ormandy. The flaw existed in the MsMpEng x86 simulator, and could be exploited by intruders with some obscure executable file, mainly because it was not sandboxed.
"MsMpEng includes a full x86 emulator used to run any unreliable files that look like executable PE files. The emulator runs like NT AUTHORITY \ SYSTEM and is not sandboxed. "Looking through the list of win32 APIs that the emulator supports, I noticed ntdll! NtControlChannel, an ioctl-like routine that allows the emulated code to control the emulator," explains the security expert.
"The 0x0C command allows you to convert a RegularExpressions controlled by an attacker to Microsoft GRETA (a library abandoned in the early 2000's) 0 The 12xXNUMX command allows you to load additional microcode that can replace opcodes… Various commands allow you to change runtime parameters and read UFS scan features and metadata. This is at least like a leak of confidentiality, as the attacker can search for the research features you have defined and then retrieve them through the scan results. ”
Ormandy calls the security flaw "a potentially extremely malicious vulnerability." The researcher reported this new vulnerability to Microsoft privately and the company developed a fix for Windows Defender last week. To stay protected, you should have automatic updates enabled and running the latest version of Windows Defender.
Microsoft has not yet issued a formal statement on the issue.