Microsoft rushes emergency fix for critical antivirus bug


The point of antivirus is to keep malware off the system. A particularly nasty software flaw in Microsoft’s antivirus engine could do the exact opposite and let attackers install malware on vulnerable systems. 

The critical security vulnerability in the Microsoft Malware Protection Engine affects a number of Microsoft products, including Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. These tools are enabled by default in Windows 8, 8.1, 10, and Windows Server 2012.

Microsoft released an emergency out-of-band security update to fix the remotely exploitable type confusion bug (CVE-2017-0290) on Monday, along with a security advisory. 

“Vulnerabilities in MsMpEng [Microsoft Malware Protection Engine] are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, a security researcher with Google’s Project Zero, who found the flaw along with fellow researcher Natalie Silvanovich, who called it “crazy bad.”