Solve for Windows Defender Malware in Minutes

Late last week, Google Project Zero team members Tavis Ormandy and Natalie Silvanovich discovered a rather severe code-execution vulnerability in Microsoft’s Windows Defender malware protection software that is bundled into Windows 7, 8.1, RT 8.1, 10, and Server 2016, as well as Microsoft Endpoint Protection, Forefront Endpoint Protection, Intune Endpoint Protection, System Center Endpoint Protection, Forefront Security for SharePoint, and Security Essentials.

The great news is that Microsoft responded immediately to the discovery and had a fix in place by the end of the weekend, stating that they hadn’t seen public exploitation of the vulnerability. Which is a good thing, since the vulnerability would enable a hacker to gain control by sending an email or an instant message to any endpoint running Windows Defender. The surprising element of this vulnerability is that the end user doesn’t need to click on anything, as just receiving it exploits the system.

From Microsoft, “The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file.” “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.” This means hackers could easily and quickly access one device after another.

The issue is from an oversight in a privileged kernel program that allows a hacker to enable remote execution. And since the vulnerability utilizes MsMpEng which operates at the highest privilege level, the unsandboxed nscript JavaScript interpreter runs on the kernel which can be exploited with only a couple lines of JavaScript.

This speaks to a larger issue. Yes, this issue has been patched, but the underlying architecture still leaves open the opportunity for significant security vulnerabilities and rekindles the debate about the usefulness of antivirus software. Efforts to protect devices from every possible threat means that if the antivirus software itself is compromised is, then it’s entire threat surface is exposed.

Reminders like this are important to bring the critical nature of patching back to the forefront of IT executive’s minds. While IT departments know the risks of not being patched, it is not always a top priority for leadership and is often overlooked. With new automated cloud patch management solutions available, being open to old vulnerabilities is a thing of the past.

Automox’s cloud patch management approach ensures that as new vulnerabilities are identified, they are patched immediately. Our cloud based platform also means there are no new servers to manage or long configuration training.

We know that IT departments would like for every operating system and application on an endpoint to be automatically deployed, continuously monitored, and instantly patched. That’s why automation is core to the design of Automox. By automating remediation, we have created the first closed loop patching process that allows IT departments to realize zero-touch patching.

We also know that the process should be easy, fast, and manageable. From our dashboard, IT can patch Windows, Linux, and Mac OS X with the push of a button. Automox also handles patching of 3rd party and custom software. And we do all of it on workstations and servers anywhere in the world.
If you want to learn more about how you can stay protected from new vulnerabilities and reduce the time you spend on patch remediation by 90%, drop us a note at sales@automox.com or check us out on your own at www.automox.com.

As previously published on Automox.com

Like what you read? Give Automox a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.