Emergency Update Patches Zero Day in Microsoft Malware Protection Engine

Microsoft released an emergency update for a zero-day vulnerability disclosed by Google in the Microsoft Malware Protection Engine bundled with most versions of Windows.

Microsoft made quick work of what two prominent Google researchers called the worst Windows vulnerability in recent memory, releasing an emergency patch Monday night, 48 hours after Google’s private disclosure was made.

The mystery Windows zero day (CVE-2017-0290) was in the Microsoft Malware Protection Engine running in most of Microsoft’s antimalware offerings bundled with Windows. The engine, known as MsMpEng, is over-privileged and un-sandboxed, according to Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich.

Worse, MsMpEng is accessible remotely via a number of critical, ubiquitous Windows services, including Exchange and the IIS web server. With one email—one that would not have to be read by the user—an attacker could execute code remotely on a vulnerable computer running MsMpEng.

“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Google said in its bug report.

Updates will be automatically pushed to the engine within 48 hours, Microsoft said last night. Admins should verify that version 1.1.13704.0 of the engine is running. Microsoft listed a number of affected products in its advisory, all of them rated critical, including Forefront Endpoint Protection, System Center Endpoint Protection, Security Essentials, Defender for Windows 7, 8.1, RT 8.1, 10 and Windows Server 2016.

“The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file,” Microsoft said. “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.”

Ormandy and Silvanovich warned via Twitter on Saturday that they had just found a severe Windows vulnerability without sharing much more information, other than it was wormable. It was also thought to be unlikely that Microsoft would be able to turn around a patch so quickly, especially given that today is Patch Tuesday.

Attackers can use a crafted file to access the mpengine component which scans and analyzes files. Ormandy and Silvanovich wrote that an attacker could find success without user interaction with the malicious file because the engine analyzes filesystem activity using a minifilter.

“So writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine,” they wrote. “MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it’s own content identification system.”

The researchers said mpengine offers attackers a “vast and complex attack surface,” with numerous components including executable packers an cryptors, system emulators and interpreters that are accessible remotely. Further, mpengine contains a component called NScript that evaluates filesystem and network activity that looks like JavaScript for malicious behavior.

“To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems,” Ormandy and Silvanovich wrote. “This is as surprising as it sounds.”

The researchers said they wrote a tool to access NScript via command shell. They found that a particular function in the engine fails to validate message properties from an object before passing it along to a runtime state. An attacker can take advantage of this type of confusion and pass arbitrary objects to runtime, the researchers wrote.

“Before executing JavaScript, mpengine uses a number of heuristics to decide if evaluation is necessary,” Ormandy and Silvanovich wrote. “One such heuristic estimates file entropy before deciding whether to evaluate any javascript, but we’ve found that appending some complex comments is enough to trigger this.”

Attackers can exploit this vulnerability through a number of avenues aside from email attachments, including links to sites hosting an exploit sent via email or any instant messenger. The engine will scan the file once it’s opened from the internet, exploiting the vulnerability.

“The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files,” Microsoft said.

Suggested articles