3 min read

Emergency patch released for critical security hole in Microsoft's malware scanner

Graham CLULEY

May 09, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Emergency patch released for critical security hole in Microsoft's malware scanner

You know a security hole is serious if Microsoft issues a patch for it just hours before the company is scheduled to release its regular bundle of Patch Tuesday updates.

Microsoft has issued an update for the Microsoft Malware Protection Engine, addressing a security vulnerability that could allow remote code execution if one of Microsoft’s anti-virus products scans a boobytrapped file. As Microsoft warns in its advisory, an attacker could exploit the vulnerability to seize control of a victim’s PC.

In short, running Microsoft’s anti-virus software would have protected against a raft of malware, but it may also have made your computer more vulnerable.

The risk is that an attacker could deliberately send a malicious file which exploits the vulnerability to a computer, whether it be via email, instant messaging or a web browser link. Once it has triggered, an attacker could then take complete control of the computer, install spyware, and steal data.

The vulnerability was found by Tavis Ormandy and Natalie Silvanovich, two researchers in Google’s Project Zero team. In a curt announcement of his discovery, Ormandy described the flaw as “the worst Windos remote code exec in recent memory. This is crazy bad… Attack works against a default install, don’t need to be on the same LAN, and it’s wormable.”

To its enormous credit, Microsoft’s security team patched the vulnerability late on Monday, and began to roll out the fix to users.

Even Tavis Ormandy managed to be impressed with the speedy response.

As is their want, Google Project Zero published details of the flaw – including proof-of-concept code that could potentially be taken by attackers and turned against vulnerable users:

Before executing JavaScript, mpengine uses a number of heuristics to decide if evaluation is necessary. One such heuristic estimates file entropy before deciding whether to evaluate any javascript, but we’ve found that appending some complex comments is enough to trigger this.

The attached proof of concept demonstrates this, but please be aware that downloading it will immediately crash MsMpEng in it’s default configuration and possibly destabilize your system. Extra care should be taken sharing this report with other Windows users via Exchange, or web services based on IIS, and so on.

As mpengine will unpack arbitrarily deeply nested archives and supports many obscure and esoteric archive formats (such as Amiga ZOO and MagicISO UIF), there is no practical way to identify an exploit at the network level, and administrators should patch as soon as is practically possible.

We have verified that on Windows 10, adding a blanket exception for C:\ is enough to prevent automatic scanning of filesystem activity (you can still initiate manual scans, but it seems prudent to do so on trusted files only, making the action pointless).

Personally I’m unconvinced that Google publishing proof-of-concept code exploiting the flaw in Microsoft’s software helps the vast majority of internet users. But that’s perhaps a debate for another time.

The important thing now, of course, is for users who rely upon the likes of Microsoft Forefront Endpoint Protection, Microsoft Security Essentials, Windows Defender, and Microsoft Endpoint Protection to ensure that they have updated their systems. You can check if your own PC is protected by ensuring that the version of Microsoft Malware Protection Engine you have installed is version 1.1.13704.0 or later.

Microsoft explains in its advisory about the out-of-band security update that typically end users and enterprise administrators will have their systems automatically updated within 48 hours of a patch being released. But it probably wouldn’t hurt to update your systems immediately by clicking the “Check Update” button.

Bugs exist in virtually all software. Often the important thing is not so much the bug itself, but how well the vendor responds to the bug’s discovery – and how well they are able to provide support for their customer base. In this case, it’s hard to fault Microsoft’s response.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read