Microsoft acts quickly following disclosure by Google’s Project Zero bug-hunters
Microsoft issued an emergency patch overnight in order to protect users from a ‘severe’ remote-code execution flaw affecting Windows’ Malware Protection Engine.
The flaw had been described as « crazy bad » by Tavis Ormondy, a security researcher at Google’s Project Zero, who uncovered the flaw alongside fellow researcher Natalie Silvanovich .
« MsMpEng is the Malware Protection service that is enabled by default on Windows 8,8.1,10, Windows Server 2012, and so on, » wrote Ormondy in a Project Zero advisory over the weekend .
« Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.
Attackers can access MpEngine simply by sending emails to users (even just reading the email or opening attachments isn’t necessary) , or by visiting links in a web browser, instant messaging and so on, according to Ormondy.
« This level of accessibility is possible because MsMpEng uses a filesystem mini-filter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (for example, caches, temporary internet files, downloads – even unconfirmed downloads – attachments, etcetera) is enough to access functionality in mpengine…
« Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service. »
Normally, Google gives a vendor 90-days’ grace before going public with the details of security flaws – and often, the companies, including Microsoft, still fail to issue appropriate patches. This time, however, Microsoft acted with uncharacteristic haste.
The vulnerability could enable remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. « An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system, » warns Microsoft in a security advisory .
The flaw affects Microsoft’s anti-malware scanning across the board: Windows Defender on home PCs; Microsoft Security Essentials, also on home PCs; Microsoft Forefront Endpoint Protection; Windows Intune Endpoint Protection; Microsoft System Center Endpoint Protection; Microsoft Forefront Security for SharePoint; and, Microsoft Endpoint Protection – the whole lot.
Happily, perhaps, for systems administrators the update will be rolled out automatically alongside the regular malware definitions update. Home users may need to make sure that the update to Windows Defender is selected among ‘important updates’ if they do not have Windows Update automatically installing updates.
Join Computing and Forcepoint at 3pm on 18 May for our joint webinar, » Hybrid networks: Securing digital transformation « .
Hybrid networks typically blend traditional MLPS networks with managed broadband and WiFi. They can deliver data where it’s needed, to more devices, flexibly, efficiently and reliably. But, this comes at the price of complexity, and also requires a rethinking of security.
So join Computing and Forcepoint on 18 May where we will look at hybrid networks and alternative approaches to achieve a balance of performance and security: enabling digital transformation to become a reality.