Easily exploited flaw in Microsoft Malware Protection Engine allows total system compromise

A critical and extremely easily exploitable vulnerability in the Microsoft Malware Protection Engine (MMPE) has been patched through an out-of-band security update pushed out by Microsoft on Tuesday.

“Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment,” Microsoft advised.

“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software.”

About the vulnerability (CVE-2018-0986)

The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for a variety of Microsoft antivirus and antispyware software: Windows Defender, Microsoft Endpoint Protection, Microsoft Security Essentials, and so on.

CVE-2018-0986 was discovered by Thomas Dullien (aka “Halvar Flake”), a security researcher with Google Project Zero.

The source of the vulnerability is an older version of the open-source archiving utility unrar, which has been forked and modified by Microsoft and incorporated into the MMPE.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” Microsoft explained, and noted that there are many ways that such a file can be placed in a location that is scanned by the MMPE.

“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”

Exploitation can be triggered without user interaction if the affected antimalware software has real-time protection turned on. If not, the attacker would need to wait until a scheduled scan occurs.

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system, and do things like install programs (additional malware); view, change, or delete data; or create new accounts with full user rights.

Users who want to check whether the update has been implemented can follow these instructions provided by Microsoft. The first MMPE version with this vulnerability addressed is version 1.1.14700.5.

“Criticality for Microsoft depends greatly on the individual product line. For the Windows Product, the most critical vulnerabilities are the ones that cause users to lose control of their computers in totality. In the case of this patched exploit, it offers a worse case scenario: the very tool Microsoft uses to protect their users turned against them. This is not the first time that AV has been targeted. Security vendors, especially, need to secure using all methods available to them as they run privileged processes by nature,” commented Aaron Zander, IT engineer at HackerOne.

“While it’s hard to say if CVE 2018-0986 was ever exploited in the past, the difficulty in crafting this exploit leaves only the most elite capable of doing so. If tools were made available allowing others to make their own payloads, this would open up the attack surface to more users. All of that being said, always staying on-top of updates from your OS provider is a simple and easy step to mitigate risk from security flaws.”