Microsoft issues patch for bug in Windows Malware Protection Engine


San Francisco, Dec 9 (IANS): Microsoft has released a security patch to fix a flaw in its Windows Malware Protection Engine that, if left untreated, can exploit a memory corruption error in the malware scanning tool and hack your system.

The bug in Malware Protection Engine was discovered by the UK's National Cyber Security Centre. The vulnerability (CVE-2017-11937) can affect systems running Windows 7, 8.1, 10 and Server 2016.

A similar flaw was found by Tavis Ormandy, security researcher for Google's Project Zero, in June this year.

"According to Microsoft, the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats," The registrar reported.

In many systems, this happens automatically for all new files.

Microsoft recommends all uses to immediately install the new security patch.

"There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user," the company said in its advisory FAQ.

An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened.

"In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server," Microsoft noted.

  

Top Stories


Leave a Comment

Title: Microsoft issues patch for bug in Windows Malware Protection Engine



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.