It’s like Pepsi declaring that Coke won a taste test: Google Project Zero security researchers discovered a in Microsoft’s Malware Protection Engine, and two days later the Microsoft Security Response Center not only fixed the bug but also rolled out the update through the usual Windows Defender update mechanism.
The bug in the main Windows Defender program was described in . Chances are good your Windows computer got the fix last night.
Google Project Zero security researchers Tavis Ormandy and Natalie Silvanovich are credited with discovering the vulnerability. that the security hole was “the worst Windows remote code exec in recent memory… crazy bad.”
After Microsoft’s quick action on the bug, Ormandy—ordinarily one of Microsoft’s biggest critics—was . “What an amazing response, thanks so much Simon and MSRC! That was incredible work.”
wuauserv, the Windows Update service).
The easiest way to make sure you got the fix is to check the version number for MsMpEng.exe, the Microsoft Malware Protection Engine. You’re looking for engine version 1.1.13704.0 or higher (1.1.13701.0 has the security hole). Here’s how to hunt down the version:
- In Windows 7, click Start > Run, type Windows Defender, and press Enter. Click the down arrow at the top on the right and choose About Windows Defender. To manually update the engine, click the down arrow, then Check for updates.
- In Windows 8.1, click Start and in the search box type Windows Defender. Then follow the instructions for Windows 7.
- In Windows 10, type Windows Defender in the Cortana search box and press Enter. In the upper-right corner, click Settings. Scroll down to the bottom and your Engine version appears under Version info. If you don’t have 1.1.13704.0, go into Windows Update (Start > Settings > Update & security), then click Check for updates. The new Windows Defender update (188.8.131.52 on my 1607 PC) should appear. Wait and make sure Windows installs it.
For technical details about the security hole, read Ormandy and Silvanovich’s article on the . The problem boils down to a failure of one function in a privileged kernel program to validate the argument being passed to it. As a result, a bad guy can rig nearly anything to trigger remote execution. The flaw digs into Windows using the component of MsMpEng called mpengine:
Has anybody examined what Microsoft’s “fix” of the Defender vulnerability is? Did they just resolve the type confusion?
Discussion continues on the .