Microsoft says that it's already shipping a fix to users

Jun 18, 2014 05:32 GMT  ·  By

Microsoft today confirmed in an advisory that a number of anti-malware products are affected by a critical vulnerability that could allow an attacker to disable protection and thus infect the computer with the help of a compromised website.

The vulnerability was discovered by Google security engineer Tavis Ormandy, who has a good track on Microsoft software bugs, but the Redmond-based tech giant says that it's not yet aware of any exploits trying to take advantage of this flaw.

In the security advisory published this morning, Microsoft confirmed that all but two of its anti-malware products are affected by the flaw, including Forefront Client Security, Security Essentials stable and prerelease, Windows Defender, and Intune Endpoint Protection.

Windows Defender is running on the majority of Windows products, including Windows XP, Windows 7, Windows 8, Windows 8.1, and Windows RT 8.1.

“Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft,” Microsoft says in the advisory released today.

“The vulnerability could allow denial of service if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted.”

The company says that it has already started providing a fix to the affected machines and all clients will get it automatically as it's installed along with the updated malware definitions for the affected products.

At the same time, Redmond says that no action is recommended, since the update should reach your computer sometime within the next 48 hours.

“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration,” it stated.

Windows XP users who are already running Security Essentials will also get the update because it's delivered together with new malware definitions. Microsoft promised to keep existing Security Essentials installations alive until mid-2015, so the existing users running this particular security app on Windows XP should be on the safe side as well, with the update to be deployed on their computers in the next 48 hours as well.