Many malware researchers were surprised to find an unexpected patch on their machines yesterday. It didn’t arrive through the front door — Windows Update wasn’t involved. Instead, the new version of mpengine.dll arrived automatically, around the back, even if you have Windows Update turned off.
This vulnerability is particularly nasty. If the Malware Protection Engine scans a jimmied file, the file can take over your computer and run whatever it wants. Since the MPE routinely runs all the time, in the background, that means a bad file could infect your computer in myriad ways. To quote Microsoft’s Security Vulnerability notice:
There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.
The list of affected systems reads like a who’s who of the Windows world: All versions of Win10, 8.1 and 7, Win RT 8.1, Server 2016, Forefront Endpoint Protection, Exchange Server, Server 2008 R2 with Desktop Experience. Those are only the supported versions of Windows. WinXP appears to be vulnerable as well, although there’s no fix being distributed.
Catalin Cimpanu at bleepingcomputer has more details, including a pedigree that traces the discovery of the flaw to the U.K. National Cyber Security Centre. He lists three additional “crazy bad” security holes in mpengine.dll from earlier this year.
To see if you’ve been updated properly, bring up Windows Defender. (I have instructions for Win 7, 8.1 and 10 in my May 9 report.) If you see Engine Version 1.1.14306 (screenshot) your machine hasn’t caught up yet.
If your machine isn’t yet up to the latest version, 1.1.14405.2, I strongly suggest that you not touch the machine until it updates itself. Go get a cup of coffee, and it’ll likely be done by the time you’re back.
Join us for more patching fun ‘n games on the AskWoody Lounge.