Patch released to fix a critical remote code execution vulnerability in the Microsoft Malware protection engine

An update has been released by Microsoft to fix a critical remote code execution vulnerability in the Microsoft malware protection engine.

Threat ID:: CC-1397
Category:
Threat Severity:: High
Threat Vector:: Exploit
Published:: 10 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

An update has been released by Microsoft to fix a critical remote code execution vulnerability in the Microsoft malware protection engine.

Threat details

To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.

An attacker could deliver the specially crafted file by any file transfer method including email. MMS, removable media, shared network storage our via the download of the file from a website

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files.
For further information view Microsoft Security Advisory 4022344 and CVE 2017-0290.

Remediation steps

Type	Step
	Check all affected products are configured correctly and receiving updates. Updates to the Microsoft Malware Protection Engine will automatically be installed along with the updated malware definitions for the affected products. Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment. For all affected products check that the Microsoft Malware Protection Engine has been updated to version 1.1.13704.0 or later. For more information on how to verify the version number for the Microsoft Malware Protection Engine that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Type

Step

Check all affected products are configured correctly and receiving updates. Updates to the Microsoft Malware Protection Engine will automatically be installed along with the updated malware definitions for the affected products.
Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.
For all affected products check that the Microsoft Malware Protection Engine has been updated to version 1.1.13704.0 or later. For more information on how to verify the version number for the Microsoft Malware Protection Engine that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Last edited: 17 February 2020 11:37 am