Microsoft has rushed to patch a flaw in its Windows anti-malware software that ironically could be exploited to enable malware to be installed on vulnerable computers.
The bug, which was reported by two researchers from Google#s Project Zero cyber security team, was found to enable files with custom code to be executed when scanned by products in Microsoft’s anti-malware portfolio, which includes Microsoft Security Essentials, Windows Defender, and Microsoft Endpoint Protection.
From this code injection attack, hackers can gain administrative privileges over a machine running Windows 8, 8,1, 10 and Windows Server 2012.
“If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned,” Microsoft’s security advisory warned.
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.”
However, the flaw which essentially bypassed the one job the anti-malware software was meant to do, will not have painted Microsoft’s security engineers in a good light.
“I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way,” tweeted Travis Ormandy, one of the security researchers that discovered the bug.
“Vulnerabilities in MsMpEng [the Microsoft malware protection service enabled by default in modern Windows] are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Ormandy noted on the Project Zero site.
While Microsoft can be commended for hurrying out a fix for the bug, which thus far does not look to have been exploited out in the wild, it has been caught with a fairly embarrassing software flaw.
Nevertheless, bugs are commonplace in even the most robust software, with closed ecosystems like Apple’s macOS suffering from the odd security compromising bug.
Are you a security pro? Try our quiz!
Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…
Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…
UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…
Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…
Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage
Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…