Microsoft today released a security advisory alerting users of a serious vulnerability in the antimalware engine present in a number of security products, including Windows Defender, Forefront and others.
The update will be automatically pushed down to the Microsoft Malware Protection Engine in the next 48 hours, Microsoft said.
There are no known public exploits for the bug, which was privately disclosed by Google engineer Tavis Ormandy, a longtime bug-hunter, and occasional thorn in Microsoft’s side. Microsoft, meanwhile, said that exploits are unlikely because they would be difficult to build.
Attackers could exploit the bug by sending a malicious file to a victim, or enticing them to a website hosting a malicious file.
“An attacker who successfully exploited this vulnerability could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted,” Microsoft said in its advisory.
If the engine is configured for real-time protection, it would automatically scan files causing the scan to timeout, otherwise, the exploit would be triggered during a scheduled scan.
The Microsoft Malware Protection Engine ships with a number of Microsoft products, including server and endpoint versions of Windows Defender for Windows 8 and 8.1, Microsoft Security Essentials, the Microsoft Malicious Software Removal Tool, Microsoft System Center 2012 and Microsoft Forefront Client, Endpoint Protection and Sharepoint versions.
“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release,” Microsoft said. “The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”
Ormandy has disclosed Microsoft vulnerabilities in the past, some of them publicly.
Last July, Microsoft patched a critical Windows kernel vulnerability after Ormandy in May made a post to the Full Disclosure list looking for help with an exploit for kernel bug he’d found. Ormandy said he had a working exploit within a week, and also took some shots at Microsoft on his personal blog, calling the company hostile toward security researchers.
The timing of the initial disclosure was awkward for Microsoft, which could not turn around a patch in time for its June 2013 Patch Tuesday updates, instead holding off until July. The situation, meanwhile, was complicated by the release of a Metasploit module exploiting the privilege escalation vulnerability.