Researchers at Google's Project Zero said earlier they had discovered a "crazy, bad" remotely exploitable vulnerability in Windows.
Researcher Tavis Ormandy claimed he and his colleague Natalie Silvanovich had "discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way".
The flaw is present in all the various avatars under which Microsoft markets its malware protection engine: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection.
.@natashenka Attack works against a default install, don't need to be on the same LAN, and it's wormable. ?— Tavis Ormandy (@taviso) 6 May 2017
Specially crafted files can install malware while Windows malware scanner is examining the files. The fact that it runs with administrative privileges means it has carte blanche to do what it likes on the system.
"There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine," Microsoft said in its advisory.
"For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened.
"In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server."
Project Zero researchers wait for 90 days after they inform the company responsible about a bug before they make the details public.
This is not the first time that Google's Project Zero has found dangerous bugs in Windows; a remotely exploitable bug in Internet Explorer 11 was revealed in February.
A second bug, in the Windows graphic device interface library, was disclosed the same month after Microsoft put off issuing its monthly security updates that month.