Microsoft issued an advisory on Tuesday warning users of vulnerability that exists in its Malware Protection Engine, which if left unpatched could allow an attacker to disable its security products through a malformed file sent as an attachment.
Along with the advisory, Microsoft has also released an update that would patch the vulnerability.
Microsoft added that successful exploitation of the vulnerability could allow attackers to prevent the Malware Protection Engine from monitoring affected systems. The denial of service state will prevail until the specially crafted file is manually removed and the service is restarted.
Because the vulnerability is present in the anti-malware engine itself, almost all security software from Microsoft are affected including Microsoft Forefront Client Security, Microsoft Forefront Endpoint Protection 2010, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center 2012 Endpoint Protection, Microsoft Security Essentials, Windows Defender Offline, and Windows Intune Endpoint Protection among others.
Microsoft added that it is not aware of any instance wherein attackers have exploited the vulnerability. Further, the update will be applied to systems automatically and silently, but has recommended that users and administrators check and ensure that the patch is installed.
Google security engineer Tavis Ormandy has been credited with the discovery of the flaw. According to Ormandy (https://twitter.com/taviso/status/478964099292745728), he discovered the flaw in the JavaScript interpreter used by Microsoft Malware Protection Engine.
