Because NScript is part of Windows Defender, it has a high privilege level on a machine. Now, a Google security researcher has discovered what he terms a “crazy bad” exploit in Windows which has the capacity to easily spread.
Project Zero researchers find security issues and report them to Microsoft to fix within 90 days before Google goes public with the detailed information. However, it’s likely that Microsoft will extend 1607’s date of demise, as it did to 1507 and 1511, to separate it from the latter.
And Mr Ormandy later tweeted he had been “blown away” at the speedy response.
Microsoft quickly fixed the flaw after the duo reported it.
At the time, the researcher didn’t disclose any other details about the flaw that would have allowed others to figure out where it’s located, but said that potential exploits would affect Windows installations in their default configurations and could be self-propagating. His research and advice are considered valuable in software security circles since he has outed numerous zero-day flaws. This will open the About Windows dialog box, which displays the Windows 10 version that’s running on your computer. No extra software is needed for the attack to execute.
The vulnerability is particularly potent because of Windows Defender’s nature as an always-on antivirus utility.
Anti-virus software such as Windows Defender would merely have to scan the malicious content for the exploit to be triggered.
The REC flaw could allow attackers to get control of systems by the use of malicious codes in emails, instant messages and through websites created by them. Addressing the discovery in a security advisory this week, Microsoft confirmed that successful exploitation would see the attacker “take control of the system”. Doing so would have required attackers to make a “specially crafted file” meant to be scanned by the Microsoft Malware Protection Engine. Ormandy didn’t reveal any specific of the exploit yet and details about the issue are scarce.
Even with Patch Tuesday less than 24 hours away, Microsoft didn’t wait to patch a risky Windows remote code execution flaw that was discovered by Google’s Project Zero just days earlier. The update that Microsoft has released today corrects the issue and will be automatically installed by all users of the affected versions within two days.
“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release”.
“Since the initial release of Windows 10 in July 2015, Microsoft has released two additional feature updates that build upon each other, delivering the newest features and more comprehensive security”, Microsoft explains.
The vulnerable version of MMPE is 1.1.13701.0, and the first with the fix implemented is 1.1.13704.0. MsMpEng runs as NT AUTHORITY/SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.