Google researcher uncovers another RCE in Microsoft Malware Protection Engine

Google Project Zero researcher Tavis Ormandy has unearthed yet another critical remote code execution vulnerability affecting the Microsoft Malware Protection Engine, which powers a number of the company’s antivirus and antispyware software.

Discovered earlier this month with the help of a fuzzer for the Windows Defender component created by Ormandy himself, the vulnerability affects the x86 emulator in Windows Defender, which “runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers.”

The flaw (CVE-2017-8558) can be triggered via a specially crafted file that is scanned by a vulnerable version of the Microsoft Malware Protection Engine.

“There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine,” Microsoft explained in a document accompanying the security update that includes a fix for the flaw.

“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”

A successful exploitation of the vulnerability would allow an attacker to execute arbitrary code in the security context of the LocalSystem account and take control of the system, and do things like install programs, view, modify and delete data, as well as create new accounts with full user rights.

There are no workarounds for the vulnerability, so updating the Microsoft Malware Protection Engine is crucial for defending oneself from attackers who might wish to exploit it.

The fix is included in version 1.1.13903.0 of the engine.

“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release,” Microsoft noted.

Users who want to make sure they have received the update can manually check for updates for Microsoft Endpoint Protection, Microsoft Forefront Endpoint Protection, Microsoft Security Essentials, Windows Defender, and Windows Intune Endpoint Protection.

In May, Ormandy and his colleague Natalie Silvanovich found a critical RCE vulnerability (CVE-2017-0290) in the Microsoft Malware Protection Engine that could lead to the same consequences, and Google Project Zero researcher Mateusz Jurczyk flagged eight RCE and DoS holes in it.

To their credit, in all these situations, Microsoft has reacted promptly and quickly pushed out the needed patches.