Critical vulnerability found in Microsoft Malware Protection Engine

The vulnerability was found and reported by an organization under GCHQ.

Microsoft revealed a critical vulnerability in the Microsoft Malware Protection Engine (MPE) on Thursday that allows an attacker to take full control of a target’s computer. A vast array of Microsoft security products are affected, including Windows Defender for Windows 10.

The Microsoft Malware Protection Engine provides the core cybersecurity capabilities for Microsoft anti-virus and anti-spyware programs in all of the company’s products.

The vulnerability is fixed and patches are going out to users now. There is no sign it was exploited in the real world, according to Microsoft.

The vulnerability is exploited when a specially crafted file is scanned by the Microsoft Malware Protection Engine that then allows an attacker to gain remote code execution. The report from Microsoft warned “there are many ways that an attacker could place a specially crafted file in a location that is scanned” by the vulnerable software. A dangerous file could be delivered by a website, email and messengers.


If a victim has real-time protection turned on, MPE will automatically scan and be exploited.

“An attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server,” the report said.

The incident reignited criticism from cybersecurity experts against the way Microsoft built their security products.

“Microsoft exposed their users to a lot of risks when they released Windows Defender without a sandbox,” Andy Ying, a developer at the security firm Trail of Bits, wrote earlier this year. “This surprised me. Sandboxing is one of the most effective security-hardening techniques. Why did Microsoft sandbox other high-value attack surfaces such as the JIT code in Microsoft Edge, but leave Windows Defender undefended?”

Sandboxing is the security mechanism for strictly separating specific software from the rest the computer in order to mitigate potential critical vulnerabilities from affecting the whole of the operating system. It’s considered a significant security measure for software with “unencumbered access to its host machine,” Ying wrote.


Today’s disclosure brought out the same criticisms. Here is Google’s Tavis Ormandy:

Ying published an open source sandboxed version of Windows Defender in August 2017.

Microsoft did not respond to a request for comment.

Thursday’s vulnerability, numbered CVE-2017-11937, was found and reported to Microsoft by the U.K.’s National Cyber Security Centre, a cybersecurity-focused government organization under the umbrella of the United Kingdom’s GCHQ signals intelligence agency.


Microsoft Malware Protection Engine has seen multiple significant vulnerabilities in recent months including seven found by Google’s Project Zero.

Latest Podcasts