Microsoft issued out-of-band patch to fix Malware Protection Engine flaw
Target: Users with Microsoft Malware Protection Engine
Attack Vector: Email and websites
Summary: Microsoft Malware Protection Engine is the core component for malware detection and cleaning for several Microsoft anti-malware products. Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a flaw that could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.
Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as possible. Successful exploitation of the vulnerability can allow the attacker to take control of the victim’s machine permitting them to install programs; view, change, or delete data and create new accounts with full user rights. However, Microsoft have released an emergency patch to mitigate this flaw which can silently deliver the necessary patches without needing user interaction as Microsoft decoupled MMPE component updates from OS updates.