Microsoft released a security advisory as of yesterday altering customers of a serious vulnerability (CVE-2014-2779) discovered in the Microsoft antimalware engine found amongst a number of their products, including Windows Defender, Security essentials, and others. The vulnerability could lead to a denial of service and halt the malware protection from working.
Microsoft will be releasing a patch to their antimalware protection engine within the next 48 hours.
No known public exploits exist for the serious vulnerability, which was discovered and privately disclosed by Google engineer, Tavis Ormandy, a longtime bug bounty collector. Mircosoft said the disclosed exploit would be hard to utilize and a tool to exploit the software would be hard to craft and execute on the users machine.
“An attacker who successfully exploited this vulnerability could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted,” Microsoft noted in its security advisory.
If the antimalware engine is configured to perform real-time protection, it would automatically scan the crafted file causing the scan to timeout, if not, the exploit would be triggered during a manual scan and halt scanning.
Microsoft’s malware protection engine comes pre-installed throughout a number of Microsoft products, this includes server and endpoint versions of Windows Defender, Microsoft Security Essentials, Microsoft Malicious Software Removal Tool, Microsoft Forefront, along with nine other products. Thirteen products in total fell vulnerable to the malware engine exploit.
“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release,” Microsoft stated. “The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”
Ormandy, the Google engineer has disclosed vulnerabilities in the past, some even publicly. Last July, Ormandy disclosed a critical vulnerability inside the Windows kernel, after Ormandy posted in the full disclosure list looking for help with a vulnerability uncovered, he called the company hostile towards security researchers on his personal blog.