CVE-2018-0986 is the identifier of a brand new critical Windows vulnerability which resides in Microsoft Malware Protection Engine and affects Windows Defender. The flaw could trigger remote code execution when the engine doesn’t properly scan a specially crafted file leading to memory corruption, Microsoft said.
The tech giant released patches for the critical bug ahead of April’s Patch Tuesday. Measures had to be taken immediately as the flaw affects Microsoft Malware Protection Engine and more specifically mpengine.dll, which is the core of Windows Defender in the latest version of the operation system (Windows 10).
How Can CVE-2018-0986 Be Exploited?
A specially crafted file must be scanned by an affected version of the MMP engine. This can be done in various ways – an attacker could place that file in a location typically scanned by the engine. “For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user,” Microsoft explained.
Another way is if a malicious actor delivers the crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. The third option is if the attacker takes advantage of websites that accept or host user-provided content. The very same malicious file can be uploaded there to a shared location to be scanned by the engine running on the hosting server.
If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned.
In case real-time scanning is not enabled, the attacker would have to wait until a scheduled scan takes place. All systems running an affected version of antimalware software are primarily at risk, meaning that users and admins should update immediately to avoid attacks.
How Did Microsoft Fix CVE-2018-0986?
Shortly put, the patch works by correcting the way Microsoft Malware Protection Engine scans specially crafted files.
Keep in mind that usually the built-in mechanism for the automatic detection and deployment of updates for Microsoft Malware Protection Engine takes care of the updating of affected systems. This mechanism applies the update within 2 days of the patch’s release.