Microsoft has released a security advisory for a security vulnerability in the Microsoft Malware Protection Engine.
The update CVE-2017-0290 addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. If an attacker were able to successfully exploit the vulnerability, they could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
The engine is a malware protection service which is enabled by default on Windows 8, 8.1, 10, Windows Server 2012. Its core engine is also used in Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products.
The bug was initially discovered and disclosed by members of Google’s Project Zero researchers Natalie Silvanovich and Tavis Ormandy, who claimed in their advisory: “On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on.
“This level of accessibility is possible because MsMpEng uses a file system minifilter to intercept and inspect all system file system activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses its own content identification system.”
They claimed that vulnerabilities in the Microsoft Malware Protection Engine ‘are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service’.
Ormandy claimed that he was ‘blown away at how quickly Microsoft responded to protect users”, and he could not ‘give enough kudos’ to the speed at which the fix was issued.
Microsoft confirmed in its advisory that the Microsoft Malware Protection Engine ships with several Microsoft anti-malware products. “Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products,” it said.
Darron Gibbard, chief technology security officer at Qualys, told Infosecurity that the irony of this bug is that it is in the product which is designed to protect operating systems against malware.
“Any machine with this unpatched flaw can be compromised using a specially crafted file that, once scanned by the Microsoft malware protection engine, allows an attacker to elevate their privileges,” Gibbard said. “Depending on the implementation of Malware Protection Engine, users may not even need to interact with the email or file that is sent to them in order for the exploit to be targeted.
“Microsoft have moved very quickly to patch and update the signatures to be able to detect the compromise. More importantly, the company has not waited for its monthly update for products like Windows Defender. “
The update is being pushed automatically and out of its regular schedule by Microsoft.
Gibbard said: “Scanning for vulnerabilities should be carried out regularly, and any issues found should be patched promptly. For high severity issues like this that can potentially be exploited without any human interaction, then patching should be carried out as soon as possible.”