All developers can now release apps and bots for Microsoft Teams

Because MsMpEng runs at the highest privilege level and is so ubiquitous across Windows PCs, this vulnerability is about as bad as it gets.

Microsoft has recommended to users that they must update the system as quickly as possible with the security patch version 1.1.13704.0. In addition, Microsoft says that in most cases both enterprise administrators and end users do not need to take any action because updates are typically doled out automatically within 48 hours of release. The company has also confirmed that users won't be able to change the default browser and search engine, meaning they'll be stuck with Microsoft Edge and Bing on their devices.

"Next priority goes to three critical SMB remote code execution vulnerabilities (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279) that affect the Windows server machines as well as desktop clients", claimed Sarwate. "An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system", the company reported.

Microsoft provided patches for 57 vulnerabilities on May Patch Tuesday, including the out-of-band patch.

The researchers from Google Project Zero have revealed a remote code execution bug in Microsoft Windows. NScript can be exploited using a few lines of JavaScript, which can be injected into a website, email, instant message or any other type of file that may be scanned by Windows Defender. The last version affected by the vulnerability is 1.1.13701.0.

The Microsoft Malware Protection Engine helps ensure that malware definitions and the its own operations are kept up to date automatically inside applications.

Microsoft announced their gen-next Windows 10 S Operating System, which was a direct attack at Google's Chromebook devices and their Chrome OS. The security bulletin notes that Microsoft hadn't seen any public exploitation of the vulnerability.

The Home Hub will let users control their smart home device and Microsoft is planning to add support for devices from smart home gadget makers like Philips Hue, Samsung's Smart Things etc.

Ormandy mentioned in the tweet that a report will follow soon.

However, the two initially disclosed details of the flaw only to Microsoft, whose engineers worked over the weekend and finally released a fix and a statement explaining the fix Monday evening (May 8).

The researchers said mpengine offers attackers a "vast and complex attack surface", with numerous components including executable packers an cryptors, system emulators and interpreters that are accessible remotely.

  • Carolyn Briggs