In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.
Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.
Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.
About CVE-2017-11937 and CVE-2017-11940 (Remote Code Execution)
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs, view, change, or delete data or create new accounts with full user rights.
The following software versions or editions are affected as listed below:
- Microsoft Endpoint Protection
- Microsoft Exchange Server 2013, 2016
- Microsoft Forefront Endpoint Protection, 2010
- Microsoft Security Essentials
- Windows Defender
- Windows Intune Endpoint Protection
This security vulnerability was discovered and reported to Microsoft by the UK’s National Cyber Security Centre (NCSC), a cyber defense organization of Britain’s signals intelligence and cyber security agency, known as GCHQ.