The Inquirer-Home

Microsoft patches DoS bug in anti-malware engine

Seven months after it was discovered
Wed Jun 18 2014, 16:31
security risk management

MICROSOFT HAS PATCHED a vulnerability in its anti-malware engine, over seven months after it was reported.

The Redmond firm released an advisory today that talks of a "specially crafted file" that could cause a denial of service. The file would prevent the users anti-malware software from working unless manually removed.

While it's not explicitly malcious in itself, if used it could leave the user's machine open to non-detection of less benign files such as Trojans.

The bug affects almost all iterations of Microsoft's anti-malware software, from Windows Defender, which is built into most versions of Windows, to enterprise level services such as Endpoint. Also affected is Microsoft's free anti-virus product, Microsoft Security Essentials.

Microsoft said that no one has exploited the vulnerability and that the update will in most cases roll out silently and automatically, but recommended that users and administrators check to ensure that the patch is installed.

The bug was discovered by Tavis Ormandy of Google Project Zero, who reported that the bug was in the Javascript interpreter. Project Zero is the shadowy corner of Google that specialises in searching for vulnerabilities, particularly zero-day flaws.

It is not expected that Windows XP users will get another reprieve in the form of another special patch. Just weeks after the 13-year-old PC operating system reached end of life in April, Microsoft surprised the world by releasing a patch for a zero-day vulnerability for Internet Explorer, including Windows XP. This was, however, a one-off, the company said. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Blackberry completes restructuring process

Do you think Blackberry can bounce back to growth?