On Monday 8th of May, Microsoft released an unusual ‘out of band’ update to fix a Remote Code Execution (RCE) bug in their Windows Defender anti-malware solution. The bug was found by Google’s Zero day team researchers Tavis Ormandy and Natalie Silvanovich.
Microsoft’s Security notice reads:
Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.
The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section for a list of affected products. Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.
Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.
The very next day was the scheduled May 2017 Patch Tuesday, the traditional 2nd Tuesday of the month, where Microsoft usually releases their software updates, most of the time pushing out bug fixes, including security patches.
This patch Tuesday included fixed for security flaws in a number of core products, from Internet Explorer and Microsoft Edge to Windows itself, Microsoft Office, .NET, and Adobe Flash Player (which is distributed via Microsoft for Windows 10 variants).
The latest patched version of Flash Player is 25.0.0.171 for Windows, Mac, Linux and Chrome OS releases. It is available now from this link. Adobe’s advisory for this update can be found here.
If you have Adobe Flash installed, you need to update it, disable it, or remove it as soon as possible. To see which version of Flash your browser may have installed, check out this Adobe page.