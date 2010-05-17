Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines.

A particularly nasty security flaw exists in Redmond's anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. All are, at this moment, at risk. It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012.

It is possible for hackers to craft files that are booby-trapped with malicious code, and this nasty payload is executed inadvertently and automatically by the scanner while inspecting the data. The injected code runs with administrative privileges, allowing it to gain full control of the system, install spyware, steal files, and so on.

In other words, while Microsoft's scanner is searching a downloaded file for malware, it can be tricked into running and installing the very sort of software nasty it's supposed to catch and kill.

On Monday night, in an emergency update, Microsoft fixed the vulnerability in its security packages. This upgrade will be automatically fetched and installed by the scanner engine on your machines, quietly closing the embarrassing security hole over the next two days.