Microsoft patches critical security bug in Windows Defender
If you're running Windows Defender (quite a strong possibility if you're running Windows), make sure you've got all your updates. Microsoft issued a patch this past Monday for a vulnerability in its malware protection engine that could allow a remote attacker to gain control over any affected system simply by sending the victim a specially-crafted e-mail or instant message. The exploit can be activated when Windows Defender simply scans a piece of data, and doesn't require any action behalf of a local user to take effect.
The vulnerability itself lies in NScript, a Defender component. NScript thoroughly checks in-flight data (whether on disk or network) that appears to contain JavaScript. The component runs completely un-sandboxed despite checking untrusted code. Given that Defender is one of Windows' most privileged processes, the ...