Google Project Zero continues to scrape away at the ubiquitous Microsoft Malware Protection Engine at the core of many security products embedded in Windows, and it continues to discover new critical vulnerabilities.
The latest, another remote code execution flaw, was patched on Friday after it was privately disclosed June 7 by researcher Tavis Ormandy.
The vulnerability was found in the same full system, unsandboxed x86 system emulator that Microsoft quietly patch in late May. This is the third critical vulnerability in MsMpEng that Ormandy has had a hand in disclosing and patching since early May.
Ormandy said in a bug report made public on Friday after the update was pushed to Windows machines that he wrote a custom fuzzer that unturned a heap corruption in the KERNEL32.DLL!VFS_Write API.
“I suspect this has never been fuzzed before,” Ormandy wrote.
The emulator is used to execute untrusted files that could be portable executable files. Ormandy said that an apicall instruction, which invokes a “large number of emulator apis” is exposed remotely; the researcher said Microsoft told him that the apicall instruction is exposed intentionally for “multiple reasons.”
Microsoft said the vulnerability exists because MsMpEng does not properly scan a specially crafted file, leading to memory corruption.
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” Microsoft said in an advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
An attacker could host the crafted file online and lure a victim to the site, enticing MsMpEng to automatically scan and execute it when the site is viewed. Attackers could also deliver the exploit via email or IM, again executing the attack if MsMpEng automatically scans it.
“If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned,” Microsoft said. “If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.”
The engine is part of a number of Microsoft security products, including Microsoft Endpoint Protection, Microsoft Forefront Endpoint Protection, Windows Defender and Microsoft Intune Endpoint Protection.
Microsoft said in most cases, updates will automatically be pushed to endpoints, and clarified that the bug affects only x86 or 32-bit versions of MsMpEng.
On May 8, Microsoft patched the first MsMpEng issue found by Ormandy and Project Zero colleague Natalie Silvanovich. The bug was addressed in an emergency patch, and was called the “worst Windows vulnerability in recent memory” by the researchers.
On May 25, Microsoft pushed a silent update for the first emulator issue in the engine.