Microsoft patches flaw in anti-malware products

Microsoft has issued a security advisory warning for a bug that can cause privilege elevation, to be found - ironically enough - within the Malware Protection Engine that forms the heart of its security products.

The company warns of a privately reported vulnerability in the engine, which is used by Microsoft Security Essentials and other Microsoft-provided security products, that can allow an attacker to gain LocalSystem account privileges - allowing them complete control over a targeted system.

The severity of the vulnerability is mitigated by the news that anonymous attackers can't exploit it: because the flaw requires that a specific registry key is tampered with, only those with valid user credentials on the targeted computer can exploit the flaw.

The vulnerability has now been addressed in a patch which Microsoft has begun to automatically roll out to affected systems. As the company's anti-malware packages update automatically, in order to better protect against the latest threats, no user interaction is required in order to be protected against exploitation of the flaw.

While it's good that Microsoft has been able to patch the vulnerability so quickly - and that, so far, there have been no reports of active attacks against the flaw in the wild - it's an embarrassment for the company to admit that a potentially serious security vulnerability came from its own pro-security software.

The full vulnerability announcement can be found on Microsoft's Security Advisory site.