Microsoft has quietly added to its May Patch Tuesday security updates by fixing eight critical vulnerabilities in its Malware Protection Engine.
Redmond said at the end of last week that it had released an updated version of the engine – 1.1.13804.0 – to fix five denial of service and three remote code execution vulnerabilities.
Once again it was Google researchers from the firm’s Project Zero team, including Tavis Ormandy and colleague Mateusz Jurczyk, that discovered the bugs.
Jurczyk wrote: “Through fuzzing, we have discovered a number of ways to crash the service (and specifically code in the mpengine.dll module), by feeding it with malformed input testcases to scan.”
He explained that the heap buffer overflow, heap corruption and unspecified memory corruption issues were the most important as they could lead to arbitrary code execution.
“On the other hand, "null_1-4", "div_by_zero" and "recursion" are low severity bugs that can only be used to bring the service process down,” he added.
The full list of vulnerabilities is as follows: CVE-2017-8535; CVE-2017-8536; CVE-2017-8537; CVE-2017-8538; CVE-2017-8539; CVE-2017-8540; CVE-2017-8541; and CVE-2017-8542.
Attackers can apparently exploit the above flaws by getting the Microsoft Malware Protection Engine to scan a specially crafted file.
“An attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
The good news is that admins will typically not need to do anything this time around as these patches will update automatically.