Microsoft has plugged a critical vulnerability in Windows Defender that could have allowed an attacker to execute code remotely and take over a user's computer. The bug, discovered by Google Project Zero researcher Tavis Ormandy, was exploitable without user interaction.
According to Ormandy, all it took was either tricking the victim into visiting a malicious website hosting a specially crafted JS file, or sending a malicious file via email, messaging or as a download. The Microsoft Malware Protection Engine (MsMpEng), a core security service part of the Microsoft ecosystem, will automatically scan any new content arriving on the user's PC, even before opening it, subsequently crashing and allowing for remote code execution.
According to his technical writeup, he had to encrypt the proof-of-concept demo file before sending it to Microsoft so it wouldn’t potentially crash Microsoft’s email servers.
The problem relates to the x86 emulator Windows Defender uses, which runs at the privileged SYSTEM level in Windows, is not sandboxed, and offers up API calls to attackers.
Ormandy reported the issue to Microsoft on June 9th and withheld disclosure until the company issued a patch via a silent update to the Malware Protection Engine in version 1.1.13903.0. The bug, tracked as CVE-2017-8557, affects Windows Defender 32 and 64-bit versions in Windows 10, Windows 8.1, Windows 8.1 RT, Windows 7 and Windows Server 2016.