As described by the Project Zero team, the problem resided in Microsoft’s antimalware protection engine, which is supposed to scan files for issues, but could be tricked into executing code included in an email, on a webpage or in an instant message. Now that it’s patched, your Windows computer should download the updated version automatically within the next day or two.
If you’re in a hurry, you can punch the update button and get it manually, likely without a reboot — just check your Windows Defender settings to make sure it has an engine listed with version 1.1.13704.0 or higher.
Just released malware protection engine update to
address RCE vuln – Defender will autoupdate. https://t.co/rzn5QWo6sV
— Security Response (@msftsecresponse) May 9, 2017
.@natashenka Attack works against a default install, don’t need to be on the same LAN, and it’s wormable. 🔥
— Tavis Ormandy (@taviso) May 6, 2017
CVE-2017-0290 is tweetable 🙂
— Natalie Silvanovich (@natashenka) May 9, 2017
Still blown away at how quickly @msftsecurity responded to protect users, can’t give enough kudos. Amazing.
— Tavis Ormandy (@taviso) May 9, 2017