Microsoft on Monday patched a severe code-execution vulnerability in the malware protection engine that is used in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016), just three days after it came to its attention. Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs.
...
The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it's simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft's malware protection engine—websites, file shares—could be used as an attack vector. Tavis Ormandy, one of the Google Project Zero researchers who discovered the flaw, warned that exploits were "wormable," meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.
For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically.
https://technet.microsoft.com/en-us/library/security/4022344 (https://technet.microsoft.com/en-us/library/security/4022344)-TN Microsoft Security Advisory 4022344
How are we supposed to tell whether Microsoft has fixed the vulnerability on individual computers?-cyberdiva (May 21, 2017, 08:07 PM)
To check whether your Windows PC has been updated, head to "Windows Defender settings" and note the Engine version number. 1.1.13704.0 or higher means you've been patched.-https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/
thanks Deozaan,How are we supposed to tell whether Microsoft has fixed the vulnerability on individual computers?-cyberdiva (May 21, 2017, 08:07 PM)
The linked article says:To check whether your Windows PC has been updated, head to "Windows Defender settings" and note the Engine version number. 1.1.13704.0 or higher means you've been patched.-https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/-Deozaan (May 22, 2017, 12:16 AM)
Many thanks, Deozaan. I've now checked. The version number is way out of date, but apparently I succeeded in turning WD off when I installed Kaspersky and did not succeed in turning it back on when it kept nagging at me to do so. So Windows Defender is turned off. I'm assuming that means that it hasn't been scanning anything and won't be doing so, and thus it will not be vulnerable to the malware threat in question. If I'm wrong, I hope someone will let me know.-cyberdiva (May 23, 2017, 07:48 AM)
Many thanks, Deozaan. I've now checked. The version number is way out of date, but apparently I succeeded in turning WD off when I installed Kaspersky and did not succeed in turning it back on when it kept nagging at me to do so. So Windows Defender is turned off. I'm assuming that means that it hasn't been scanning anything and won't be doing so, and thus it will not be vulnerable to the malware threat in question. If I'm wrong, I hope someone will let me know.-cyberdiva (May 23, 2017, 07:48 AM)
Many thanks, Deozaan. I've now checked. The version number is way out of date, but apparently I succeeded in turning WD off when I installed Kaspersky and did not succeed in turning it back on when it kept nagging at me to do so. So Windows Defender is turned off. I'm assuming that means that it hasn't been scanning anything and won't be doing so, and thus it will not be vulnerable to the malware threat in question. If I'm wrong, I hope someone will let me know.-cyberdiva (May 23, 2017, 07:48 AM)
The fact that you aren't running/updating it doesn't have relevancy in many cases with these kinds of vulnerability. It might in this case, but I wouldn't depend on that.-wraith808 (May 23, 2017, 07:28 PM)
The fact that you aren't running/updating it doesn't have relevancy in many cases with these kinds of vulnerability. It might in this case, but I wouldn't depend on that.As I understand it, the problem comes when WD scans objects and gets infected. If I have WD turned off so that it doesn't run, how am I still vulnerable?-wraith808 (May 23, 2017, 07:28 PM)
The fact that you aren't running/updating it doesn't have relevancy in many cases with these kinds of vulnerability. It might in this case, but I wouldn't depend on that.As I understand it, the problem comes when WD scans objects and gets infected. If I have WD turned off so that it doesn't run, how am I still vulnerable?-wraith808 (May 23, 2017, 07:28 PM)-cyberdiva (May 25, 2017, 11:24 AM)
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.
For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically.
https://technet.microsoft.com/en-us/library/security/4022344 (https://technet.microsoft.com/en-us/library/security/4022344)-TN Microsoft Security Advisory 4022344-Curt (May 09, 2017, 04:55 PM)
WD wasn't enabled. It won't update if it's not enabled.-wraith808 (May 26, 2017, 10:06 AM)
[ You are not allowed to view attachments ] [ You are not allowed to view attachments ]
Doesn't seem to have worked that way in this computer. Win Defender was Off and is updated beyond that version(1.1.113804).-Arizona Hot (May 26, 2017, 10:27 PM)
Doesn't seem to have worked that way in this computer. Win Defender was Off and is updated beyond that version(1.1.113804).-Arizona Hot (May 26, 2017, 10:27 PM)
I confess that I'm not at all clear about any of this, but I stopped using MSE more than a year ago when I switched to Kaspersky (I had the offer of two free two-year subscriptions and decided to give Kaspersky a try). I've just checked with Everything Search, and Microsoft Security Essentials is not on my computer. Moreover, when I was using MSE, I'd get daily updates for it through Windows Updates, but those updates stopped when I switched to Kaspersky. Also, IIRC, Windows Defender existed separately on my computer from MSE when I was using MSE.Doesn't seem to have worked that way in this computer. Win Defender was Off and is updated beyond that version(1.1.113804).-Arizona Hot (May 26, 2017, 10:27 PM)
where it didnt update (cyberdiva) was (as MSE) on Windows 7 computer.
May be different on 10?-tomos (May 27, 2017, 01:17 PM)
Microsoft ... chose to use the Windows Defender name for 3 distinct products ...
Windows Defender (downloadable for XP, included on Vista and Windows 7, antispyware only, includes some useful system utilities, too, not present in MSE or Windows Defender/8-RT)
Windows Defender Offline (uses the same technology as MSE, but runs from a bootable disc created by the downloaded "wizard")
Windows Defender (included in Windows 8 and Windows RT [and Windows 10] that is a full antivirus and antispyware program)