Microsoft issues patch for bug in Windows Malware Protection Engine I British spooks find hole in Microsoft Defender and Security Essentials I Microsoft Patches Two Critical Defender Bugs
Vole rushes to patch
Microsoft has posted an out-of-band security update to fix a remote code execution flaw in its Malware Protection Engine.
The flaw, CVE-2017-11937, has not yet been exploited yet but it is a real doozy.
The security hole is present in Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016.
It was discovered and reported by the UK's National Cyber Security Centre – which is part of GCHQ, Blighty's spying nerve centre.
The vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats. In many systems this is set to happen automatically for all new files.
By exploiting a memory corruption error in the malware scanning tool, the attack file can execute code on the target machine with LocalSystem privileges.
Microsoft said: "There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user.
"An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server."
Microsoft notes that, because Malware Protection Engine is set up to constantly receive updates, the fix will automatically be delivered over the air for most home users and many enterprise customers.
The security hole is present in Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016.
It was discovered and reported by the UK's National Cyber Security Centre – which is part of GCHQ, Blighty's spying nerve centre.
The vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats. In many systems this is set to happen automatically for all new files.
By exploiting a memory corruption error in the malware scanning tool, the attack file can execute code on the target machine with LocalSystem privileges.
Microsoft said: "There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user.
"An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server."
Microsoft notes that, because Malware Protection Engine is set up to constantly receive updates, the fix will automatically be delivered over the air for most home users and many enterprise customers.
Microsoft has released a security patch to fix a flaw in its Windows Malware Protection Engine that, if left untreated, can exploit a memory corruption error in the malware scanning tool and hack your system.
The bug in Malware Protection Engine was discovered by the UK's National Cyber Security Centre. The vulnerability (CVE-2017-11937) can affect systems running Windows 7, 8.1, 10 and Server 2016.
A similar flaw was found by Tavis Ormandy, security researcher for Google's Project Zero, in June this year
Microsoft has released fixes for two critical flaws in its Windows Defender product which could allow attackers to completely take control of a targeted system.
CVE-2017-11937 and CVE-2017-11940 are remote code execution (RCE) vulnerabilities that exist when the Microsoft Malware Protection Engine (MMPE) doesn’t properly scan a specially crafted file, leading to memory corruption.
A remote attacker could therefore use a specially crafted file to execute arbitrary code, leading to a full system compromise. The file could be emailed, IM’d or delivered via a compromised website, the alert noted.
As the engine automatically scans files in real-time, the bugs could be easily exploited.
The updates fix the vulnerabilities by correcting the way in which the Microsoft Malware Protection Engine scans specially crafted files.
The software flaws affect Windows Defender on all supported Windows PC and server platforms, as well as Microsoft Endpoint Protection, Windows Intune Endpoint Protection, Security Essentials, Forefront Endpoint Protection and Exchange Server 2013 and 2016.
Fortunately, the vulnerabilities are not thought to have been publicly disclosed or exploited in the wild.
Most enterprise admins will not need to take any further action as the updates will be automatically deployed.
Interestingly the bugs were reported by the National Cyber Security Centre (NCSC), part of UK spy agency GCHQ.
It’s a nice bit of PR for NCSC given its role is to educate the populace and protect UK consumers and businesses from critical cyber-threats to essential services.
The organization has been an increasingly vocal presence in the news of late, warning government agencies earlier this month to effectively ban Russian AV for any networks processing information classified “secret” or above.
Several other critical MMPE bugs have already been discovered this year allowing remote code execution by hackers.
No comments
Post a Comment