Microsoft Promises Next-Generation Security with Windows 10 Fall Creators Update

"If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned", Microsoft said.

According to Tavis Ormandy, the Google Project Zero researcher who discovered the vulnerability, the flaw was spotted nearly immediately after developing a fuzzer for the Windows Defender component. Fuzzing is a software testing technique that locates bugs by subjecting application code to corrupted data and other types of malformed or otherwise unexpected input.

Ormandy said in a bug report made public on Friday after the update was pushed to Windows machines that he wrote a custom fuzzer that unturned a heap corruption in the KERNEL32.DLL!VFS_Write API.

The Wannacry attack was so serious it prompted Microsoft to make the unprecedented move of including the outdated Windows XP operating system, which first launched nearly 16 years ago, as part of its Patch Tuesday round of security updates.

This is the new dashboard for Windows Defender Advanced Threat Protection. Microsoft has also said that it is going to bring ATP to unspecified non-Windows platforms. For that, we should be thankful since the remote code execution vulnerability was so easy to exploit that it would have resulted in epic pwnage. According to the advisory, the account has "extensive privileges on the local computer and acts as the computer on the network".

This is a big issue because the Malware Protection Engine has been shipped as a built-in service in all Windows OS versions since Windows 7, and is a core component of a series of Microsoft security products such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.

As a testament to the ease of triggering the bug, Ormandy took special precautions in publishing some of the proof-of-concept exploits, which were linked to a file named testcase.txt. "Note that as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system". Showing just how unsafe and easy to exploit this bug was, Ormandy had to encrypt the PoC demo when sending it to Microsoft because he risked crashing Microsoft's email servers the moment the PoC reached their systems.

The vulnerability was found in the same full system, unsandboxed x86 system emulator that Microsoft quietly patch in late May. That's the engine that powers Windows Defender, which is installed by Default on all consumer PCs running supported versions of Windows.

Ormandy included the warning in his technical writeup.