Security researcher Tavis Ormandy, one of Microsoft’s biggest critics, praises Microsoft for its rapid response to a newly discovered security hole Credit: Dana Vollenweider It’s like Pepsi declaring that Coke won a taste test: Google Project Zero security researchers discovered a security hole in Microsoft’s Malware Protection Engine, and two days later the Microsoft Security Response Center not only fixed the bug but also rolled out the update through the usual Windows Defender update mechanism. The bug in the main Windows Defender program was described in Security Advisory 4022344. Chances are good your Windows computer got the fix last night. Google Project Zero security researchers Tavis Ormandy and Natalie Silvanovich are credited with discovering the vulnerability. Ormandy tweeted that the security hole was “the worst Windows remote code exec in recent memory… crazy bad.” After Microsoft’s quick action on the bug, Ormandy—ordinarily one of Microsoft’s biggest critics—was swift to respond. “What an amazing response, thanks so much Simon and MSRC! That was incredible work.” The praise seems quite justified. The “wormable” hole has been plugged, and everything is now right with Microsoft Endpoint Protection, Forefront Security, Security Essentials, Intune Endpoint Protection, and all versions of Windows Defender, from Windows 7 to 8.1 to RT to Windows 10 versions 1507, 1511, 1607, and 1703. In short, it was a stunning response to a bad bug (and one more reason why you should not turn off wuauserv, the Windows Update service). The easiest way to make sure you got the fix is to check the version number for MsMpEng.exe, the Microsoft Malware Protection Engine. You’re looking for engine version 1.1.13704.0 or higher (1.1.13701.0 has the security hole). Here’s how to hunt down the version: In Windows 7, click Start > Run, type Windows Defender, and press Enter. Click the down arrow at the top on the right and choose About Windows Defender. To manually update the engine, click the down arrow, then Check for updates. In Windows 8.1, click Start and in the search box type Windows Defender. Then follow the instructions for Windows 7. In Windows 10, type Windows Defender in the Cortana search box and press Enter. In the upper-right corner, click Settings. Scroll down to the bottom and your Engine version appears under Version info. If you don’t have 1.1.13704.0, go into Windows Update (Start > Settings > Update & security), then click Check for updates. The new Windows Defender update (1.243.10.0 on my 1607 PC) should appear. Wait and make sure Windows installs it. For technical details about the security hole, read Ormandy and Silvanovich’s article on the Project Zero blog. The problem boils down to a failure of one function in a privileged kernel program to validate the argument being passed to it. As a result, a bad guy can rig nearly anything to trigger remote execution. The flaw digs into Windows using the component of MsMpEng called mpengine: Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers. NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds. Yes, you read that correctly. MsMpEng has a JavaScript interpreter that runs directly in the kernel—and it’s in all versions of Windows. While Microsoft’s solution fixed the immediate problem, it’s pretty clear there’s still a big potential security hole. A few hours ago, Vesselin Bontchev tweeted: Has anybody examined what Microsoft’s “fix” of the Defender vulnerability is? Did they just resolve the type confusion? I mean, they probably didn’t suddenly add a sandbox around it or stopped running a JavaScript interpreter in the kernel? Bottom line: Make sure Windows Defender is up to date on your system. Don’t turn off the Windows Update service. And expect to hear more about the kernel-mode JavaScript interpreter in the future. Discussion continues on the AskWoody Lounge. Related content opinion On a personal note... Woody Leonhard looks back a bit, looks ahead to retirement — and shares good news about who's picking up the Windows patching torch. By Woody Leonhard Nov 09, 2020 3 mins Small and Medium Business Computers Windows news analysis Get Microsoft's October patches installed — and seriously consider Win10 2004 Odd ancillary patches have their problems, but the mainstream October patches look pretty reliable. The big question: Is Win10 version 2004 up to your stability standards. I’m skeptical -- especially because it has few worthwhile improvements. By Woody Leonhard Oct 30, 2020 6 mins Small and Medium Business Microsoft Computers news analysis Microsoft Patch Alert: October 2020 The big news with this month’s patches – aside from the usual smorgasbord of strange errors – has more to do with the patches that are outside the regular cumulative update stream. Remarkably, we didn’t get any security fixes By Woody Leonhard Oct 22, 2020 189 mins Small and Medium Business Microsoft Office Microsoft news analysis With Patch Tuesday here, be sure Windows Update is paused With all the flotsam floating around, it’s easy to lose sight of Second Tuesdays. October’s arrives tomorrow and, with it, another round of Windows and Office patches. Take a minute to make sure you aren’t in the front lines, as eve By Woody Leonhard Oct 12, 2020 5 mins Small and Medium Business Microsoft Windows Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe