On May 6, 2017, Google Project Zero tweeted a major Windows remote code execution vulnerability. Hackers can exploit this vulnerability to remotely control any Windows operating system. Your personal information may have been stolen. Microsoft announced this vulnerability on May 8, and Google Project Zero revealed the details on May 9.
See the following for more information about the vulnerability.
Microsoft Malware Protection Engine remote code execution vulnerability
The vulnerability triggers remote code execution if the Microsoft Malware Protection Engine does not properly scan a specially crafted file and consequently corrupts the memory. Attackers can run arbitrary code using the LocalSystem account and take control of the system.
Condition and method of exploitation
By default, no malware protection software is installed in Windows Server 2008 and Windows Server 2012 provided by Alibaba Cloud. Therefore, these operating systems are not affected by the vulnerability. Windows Defender is installed in Windows Server 2016, which may be affected.
An official publication has been released to list the following affected versions:
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Endpoint Protection
- Microsoft Forefront Security for SharePoint Service Pack 3
- Microsoft System Center Endpoint Protection
- Microsoft Security Essentials
- Windows Defender for Windows 7
- Windows Defender for Windows 8.1
- Windows Defender for Windows RT 8.1
- Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
- Windows Intune Endpoint Protection
Check whether your Microsoft Malware Protection Engine is version 1.1.13701.0 or later. If so, it is not affected.
How to fix or mitigate
If you have installed malware protection software, you can use the automatic update feature of Windows and manually install the patch. The vulnerability is fixed in Microsoft Malware Protection Engine 1.1.13704.0.