A serious vulnerability in the software at the core of Microsoft’s anti-malware solutions (Microsoft Malware Protection Engine) could open the door for DDoS attacks.

An attacker could create a special file, which – when scanned by affected software – would make the anti-malware software ineffective against any and all malware. A new patch from Microsoft fixes the vulnerability.

Software that uses the Malware Protection Engine is typically configured to update itself automatically. That includes Microsoft Security Essentials, a free Windows-based anti-malware solution.

If you are using MSSE, you can determine whether the patch has been installed by opening MSSE, clicking the small arrow next to ‘Help’, then clicking ‘About’. You should see a line like this:

Engine Version: 1.1.10701.0

If your Engine Version is 1.1.10701.0 or higher, then the patch has been installed and you are protected against this vulnerability. If the version is 1.1.10600.0 or lower, go to the Update tab and click the Update button.

Microsoft Security Advisory 2974294 provides additional details.