Microsoft has released an urgent update to stop hackers taking control of computers with a single email. The unusual bug, in Microsoft anti-malware software such as Windows Defender, could be exploited without the recipient even opening the message.
Researchers working for Google’s Project Zero cyber-security outfit discovered the flaw at the weekend. The fix has been specially pushed out hours before the software giant’s monthly Tuesday security update.
The update CVE-2017-0290 addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. If an attacker were able to successfully exploit the vulnerability, they could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
The engine is a malware protection service which is enabled by default on Windows 8, 8.1, 10, Windows Server 2012. Its core engine is also used in Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products.
The bug was initially discovered and disclosed by members of Google’s Project Zero researchers Natalie Silvanovich and Tavis Ormandy, who claimed in their advisory: “On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on.