Microsoft fixed a vulnerability in Windows Defender that made almost any PC open to attacks from outside

Microsoft Corrected Online Fixed a Vulnerability in the Embedded Windows Antivirus Code. This vulnerability made almost any computer open to cybercriminals, including PCs that run on Windows versions 7 through Server 2016. Redmond employees managed to solve the problem in just three days.

The exploit in question has received the official name CVE-2017-0290. It allows you to remotely attack the system without interacting with the account of the owner of the PC. It is enough for a cybercriminal to send an e-mail or IM message, which is verified by Windows Defender. As it turned out, everything that was automatically checked by Defender, including sites, file sharing paths, can be used to attack.

Information Security Specialist Tavis Ormandi of Google Project Zero said that the exploit for Windows in question is “worm-like”. The exploit can be used to implement a series of consecutive attacks that will be performed automatically from machine to machine (in case such PCs are vulnerable).
')
For the first time, Ormandy announced a problem on Friday evening. He himself called the possibility of a remote attack on Windows "the most dangerous exploit lately" and warned that the attack is effective against "default installation, and computers do not have to be in the same local network." Most information security experts have said that it will take several weeks for the corporation to fix the problem. But, to the surprise of many, Microsoft employees released the patch on Monday evening.

The exploit affects the MsMpEngine process , which works with the maximum level of access to the system. That is why this exploit is so dangerous. MsMpEng.exe is the key process of the Windows Defender program, which was created by Microsoft to combat malware. The process scans downloaded files for spyware. If malware is suddenly detected, such items are sent to quarantine or deleted.

More specifically, the vulnerability contains one of the components of MSMPEngine, which is called Nscript. It is this malware that infects with an exploit containing just a few lines of JavaScript. Nscript never fits in the sandbox and works with the highest level of access to the system, just like the MsMpEngine process. The attack can be carried out using a zip file, a Python file, an image file (ROM), over a local network and over the Internet.