Industry News

Emergency patch released for critical security hole in Microsoft’s malware scanner

You know a security hole is serious if Microsoft issues a patch for it just hours before the company is scheduled to release its regular bundle of Patch Tuesday updates.

Microsoft has issued an update for the Microsoft Malware Protection Engine, addressing a security vulnerability that could allow remote code execution if one of Microsoft’s anti-virus products scans a boobytrapped file. As Microsoft warns in its advisory, an attacker could exploit the vulnerability to seize control of a victim’s PC.

In short, running Microsoft’s anti-virus software would have protected against a raft of malware, but it may also have made your computer more vulnerable.

The risk is that an attacker could deliberately send a malicious file which exploits the vulnerability to a computer, whether it be via email, instant messaging or a web browser link. Once it has triggered, an attacker could then take complete control of the computer, install spyware, and steal data.

The vulnerability was found by Tavis Ormandy and Natalie Silvanovich, two researchers in Google’s Project Zero team. In a curt announcement of his discovery, Ormandy described the flaw as “the worst Windos remote code exec in recent memory. This is crazy bad… Attack works against a default install, don’t need to be on the same LAN, and it’s wormable.”

To its enormous credit, Microsoft’s security team patched the vulnerability late on Monday, and began to roll out the fix to users.

Even Tavis Ormandy managed to be impressed with the speedy response.

As is their want, Google Project Zero published details of the flaw – including proof-of-concept code that could potentially be taken by attackers and turned against vulnerable users:

Before executing JavaScript, mpengine uses a number of heuristics to decide if evaluation is necessary. One such heuristic estimates file entropy before deciding whether to evaluate any javascript, but we’ve found that appending some complex comments is enough to trigger this.

The attached proof of concept demonstrates this, but please be aware that downloading it will immediately crash MsMpEng in it’s default configuration and possibly destabilize your system. Extra care should be taken sharing this report with other Windows users via Exchange, or web services based on IIS, and so on.

As mpengine will unpack arbitrarily deeply nested archives and supports many obscure and esoteric archive formats (such as Amiga ZOO and MagicISO UIF), there is no practical way to identify an exploit at the network level, and administrators should patch as soon as is practically possible.

We have verified that on Windows 10, adding a blanket exception for C:\ is enough to prevent automatic scanning of filesystem activity (you can still initiate manual scans, but it seems prudent to do so on trusted files only, making the action pointless).

Personally I’m unconvinced that Google publishing proof-of-concept code exploiting the flaw in Microsoft’s software helps the vast majority of internet users. But that’s perhaps a debate for another time.

The important thing now, of course, is for users who rely upon the likes of Microsoft Forefront Endpoint Protection, Microsoft Security Essentials, Windows Defender, and Microsoft Endpoint Protection to ensure that they have updated their systems. You can check if your own PC is protected by ensuring that the version of Microsoft Malware Protection Engine you have installed is version 1.1.13704.0 or later.

Microsoft explains in its advisory about the out-of-band security update that typically end users and enterprise administrators will have their systems automatically updated within 48 hours of a patch being released. But it probably wouldn’t hurt to update your systems immediately by clicking the “Check Update” button.

Bugs exist in virtually all software. Often the important thing is not so much the bug itself, but how well the vendor responds to the bug’s discovery – and how well they are able to provide support for their customer base. In this case, it’s hard to fault Microsoft’s response.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *

  • Bulls**t, I don't think the model Google is following -user vulnerabilities as throwable weapon against competitors- is the way to go. Is this case also included in their 90 days vulnerability leak? Don't get me wrong, I deeply appreciate their effort, but I perceive that sometimes they try to take anorther benefits from such cases, and we cannot state Google is out of these cases, can we?