“Bad” is bad enough. But this bug is being labelled as “crazy–bad.”

CVE-2017-0290 could allow a remote attacker to execute malicious payload code with administrative privileges by providing a specially crafted file which the Microsoft Malware Protection Engine scans automatically. An attacker could then execute any malicious code, install malware, steal files or perform any other up–to–no–good deeds remotely, without user interaction. So, while the antivirus is doing exactly what it’s supposed to, it could also run and install the very thing it’s trying to protect against.

This vulnerability affects Windows Defender and Microsoft Endpoint Protection, among other products, and is enabled by default in Windows 1, 8.1 and 10, as well as Windows Server 2012.

How the vulnerability was disclosed seems to be drawing as much attention as the flaw itself:

  • May 6: Google Project Zero Natalie Silvanovich and Tavis Ormandy discover the bug and have proof–of–concept exploit code. The pair notify Microsoft, but also tweet out the existence of the bug, claiming it’s “the worst Windows remote code exec in recent memory,” but providing no details of the exploit.
  • May 8: Microsoft releases an emergency update in a time frame that even impressed Ormandy. The fix will be applied within 48 hours of release via the built­–in, automatic detection and deployment of the Malware Protection Engine’s update mechanism (as long as it’s enabled).
  • May 9: All the special preps for the monthly Patch Tuesday are in motion earlier than usual

For now, there is no evidence that this vulnerability is being exploited in the wild; but, as a PoC exploit code is available, this could happen very soon.

What You Can Do Now:

  • Make sure the auto-update mechanism of the Malware Protection Engine is properly configured and expect an emergency update in the next day or two.
  • If you have another endpoint protection system, you may consider pausing the use of Microsoft Endpoint Protection and Windows Defended until the Microsoft update kicks in
  • If this is your only endpoint protection mechanism, you’re between a rock and a hard place. Keeping it active leaves you at risk of this “crazy–bad” flaw, while disabling it leaves you exposed to who–knows–how–many others. May be time to diversify.



Learn more about Malware Protection Engine’s remote code execution vulnerability at the free–to–use Skybox Vulnerability Center.