Microsoft has issued an emergency, out-of-band patch to shore up some critical weaknesses in Window’s Malware Protection Engine.
This is an unseen part of the OS that actively scans and prevents malicious code from ever making its way onto your system in the first place. It operates independently of any antivirus software you might be using.
Unfortunately, as with any software, it’s not perfect. Google’s Project Zero has identified a total of eight critical security issues with the Malware Protection Issue that Microsoft deemed worrisome enough to take the step of issuing a patch outside their normal schedule.
The eight flaws identified broadly fall into two categories. Five of them were shortcomings in the code that would allow a hacker to completely disable by conducting a DDOS (Dedicated Denial of Service) style attack.
This is a rather crude, but devastating attack that amounts to using a battering ram to knock a hole in the digital walls protecting you. Once those walls are down, the hackers can insert whatever code they like.
The other three issues revolve around RCE (Remote Code Execution) flaws, which allow hackers to remotely disable the Malware Protection Engine, then infect your machine with whatever they like.
There’s nothing you need to do to get the latest patch. It will install automatically unless you’ve made a deep dive into the Malware Protection Engine’s settings and intentionally hobbled its ability to update automatically (which is not recommended).
Note that the Malware Protection Engine is an integral part of multiple Windows products, including:
• Windows Defender
• Exchange Server
• Endpoint Protection
• Forefront Endpoint Protection
• Windows Intune Endpoint Protection
• Security Essentials
And many others, so in terms of the level of seriousness, these flaws are about as bad as it could possibly get. In fact, a member of Google’s Project Zero team described the flaws as “crazy bad,” and said it was the worst Windows code flaw in recent memory.
Microsoft’s most recent scheduled patch came out on “Patch Tuesday,” which was June 13.