Microsoft hastened to correct a critical Windows flaw after a British intelligence organization discovered and revealed the exploit to the company. The flaw in question, CVE-2017-11937, was discovered by the National Cybersecurity Center (NCSC) of the United Kingdom, which is part of the intelligence agency of the Government Communications Headquarters (GCHQ).
CVE-2017-11937, as Microsoft wrote in its security advisory, is a critical remote code execution vulnerability that exists in Microsoft's malware protection engine. The vulnerability, which affects Windows versions as of 7, takes advantage of Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection and the Windows Intune Endpoint Protection dependency of the Malware Protection Engine to exploit the vulnerability. The result of a successful use of the exploit is as follows, according to Microsoft's notice:
An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; see, change or delete data; or create new accounts with full user rights
To use CVE-2017-11937, an attacker must specially create a malicious package that will be scanned by default. For this to happen, the package must be sent to a location that is automatically scanned by Windows security products (such as email, hosting servers, and a website). As the scan is automatic, the packet can execute its remote code before the system has time to react, which gives a pirate full access to the machine.
The good news is that the patch for this critical Windows flaw was implemented fairly quickly. Even better, users can already have the updated version of the Windows operating system that contains this patch. As Catalin Cimpanu of Bleeping Computer explains in his report on the exploit, the update of version 1.1.14405.2 of the Microsoft Malware Protection Engine was installed automatically on the machines that have enabled their "auto-update mechanism for this component". The only way this update could have been blocked is "they have chosen to block MMPE updates by modifying the registry keys or through group policies".