According to a security advisory, the flaw leads to a memory corruption error when a specially crafted file is scanned by the affected malware scanning tools. It could allow an attacker to run arbitrary code on the target machine, and take control of the system with Local System privileges to install programs, manipulate files, or create new user accounts with full user rights.
Microsoft said they aren’t aware of any instance where the vulnerability has been actively exploited in the wild. It can be triggered if the real-time protection is turned on for an affected version of Microsoft Malware Protection Engine. Even with real-time protection disabled, the risk is there as the attacker can wait for the scheduled scan which would exploit the vulnerability.
The remote code execution bug in the software was first reported to Microsoft by the British security agency GCHQ’s information security arm National Cyber Security Centre. The list of affected software includes Windows Defender, Microsoft Security Essentials, Microsoft Forepoint Endpoint Protection, Microsoft Exchange Server 2013 & 2016, and Microsoft Endpoint Protection.
Microsoft has released a security patch to address the bug. The users have to do nothing–the built-in mechanism in the malware scanning tool automatically downloads and install updates when there is an active internet connection available. The security patch will also be a part of the monthly cumulative update (aka Patch Tuesday) releasing on December 12.