Republish
Reprint

A major security flaw in Microsoft anti-malware application Windows Defender that affected recent versions of Windows and allowed an attacker to remotely take over a victim’s computer has been patched by Microsoft.

The vulnerability, known officially as  CVE-2017-0290, could be exploited on Windows 7, 8, 8.1, 10 and Server 2016 machines. The issue stemmed from Windows Defender, which could be exploited during a scan of a malicious email or instant message. The attack did not require any interaction with the system owner to infect a machine.

Read: Microsoft Malware: Company Testing Application Guard To Defend Edge Web Browser

The exploit involved MsMpEngine, a core process of Windows Defender, which contains a component called NScript that analyzes JavaScript activity. NScript can be exploited using a few lines of JavaScript, which can be injected into a website, email, instant message or any other type of file that may be scanned by Windows Defender.

Because NScript is part of Windows Defender, it has a high privilege level on a machine. If it is exploited, the attacker can quickly gain access to the security tool’s privileges on the machine—and it can do so without ever interacting with the user.

Tavis Ormandy and Natalie Silvanovich, security researchers at Google Project Zero, first discovered the flaw. In a series of tweets, Ormandy called the exploit "the worst Windows remote code exec in recent memory" and warned that it is “wormable,” meaning it could produce a chain of similar attacks across a number of vulnerable machines.

The vulnerability presents considerable trouble for Windows users—Windows Defender is intended to keep users safe, but trusting the Microsoft-developed program that comes installed by default on all Windows machines actually left users at risk.

Read: NSA Malware DoublePulsar: How To Test If Your Computer Has Been Infected

While security researchers feared it might be a matter of weeks before Microsoft was able to act on the bug, the company pushed out an emergency update for the vulnerability within just days of it being brought to light.

The fix comes in the form of an automatic patch that should find its way onto most machines without much user interaction. Windows Defender updates every 48 hours, and the most recent update contains the patch.

Microsoft did note that the risk of an attacker remotely executing code is lower on Windows 10 and Windows 8.1 than previous versions of the operating system because of CFG, a security feature that protects against memory corruption. Still, it is advised that users take action to protect their machine from the vulnerability.

How To Check If Windows Defender Is Up To Date

Users who are concerned about the vulnerability and want to make sure their machine is protected can check their version of Windows Defender to make sure it is up to date.

To do so, go to the Start menu and open the Settings app. Click on Updates and Security and select Windows Defender from the side bar. If Windows Defender is running with engine version number. 1.1.13704.0 or higher, your machine has been patched.