Microsoft Malware Protection Engine

Microsoft issued out-of-band patch to fix Malware Protection Engine flaw

Target: Users with Microsoft Malware Protection Engine

Attack Vector: Email and websites

Summary: Microsoft Malware Protection Engine is the core component for malware detection and cleaning for several Microsoft anti-malware products. Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a flaw that could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as possible. Successful exploitation of the vulnerability can allow the attacker to take control of the victim’s machine permitting them to install programs; view, change, or delete data and create new accounts with full user rights. However, Microsoft have released an emergency patch to mitigate this flaw which can silently deliver the necessary patches without needing user interaction as Microsoft decoupled MMPE component updates from OS updates.

Leave a Reply

Your email address will not be published. Required fields are marked *