When security researcher Tavis Ormandy revealed a vulnerability in Microsoft’s Malware Protection Engine, he published proof-of-concept code and earned himself a rebuke., Operating Systems
When security researcher Tavis Ormandy revealed a vulnerability in Microsoft’s Malware Protection Engine, he published proof-of-concept code and earned himself a rebuke. Graham Cluley has criticised Google’s Project Team Zero for releasing proof of concept code along with details of a freshly discovered vulnerability in the Microsoft Malware Protection Engine. Microsoft has issued an emergency patch ahead of its usual Patch Tuesday release because of the seriousness of the flaw. According to Tavis Ormandy, who works for Project Team Zero and discovered the vulnerability along with Natalie Silvanovich, it is “the worst Windows remote code exec in recent memory. This is crazy bad.” Discussing the vulnerability on Twitter, he said: “Attack works against a default install, don’t need to be on the same LAN, and it’s wormable.” I think and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. There’s clearly no love lost between Cluley and Ormandy, with Cluley describing Ormandy’s announcement as “curt” and later criticising him for releasing the proof-of-concept code. “Personally I’m unconvinced that Google publishing proof-of-concept code exploiting the flaw in Microsoft’s software helps the vast majority of internet users, ” he wrote on the. Meanwhile, Ormandy has blocked Cluley on Twitter. Huh.. I only said on the podcast the other day what an incredibly smart guy is… and this is how I’m rewarded.: (However, one thing that Cluley and Ormandy could agree on was their admiration for Microsoft’s response to the vulnerability. Cluley pointed out that Microsoft issued a patch just hours before it was due to release its Patch Tuesday updates. And Ormandy said on Twitter: “Still blown away at how quickly @msftsecurity responded to protect users, can’t give enough kudos. Amazing.” The flaw that Ormandy and Silvanovich discovered is in MsMpEng, the malware protection service that runs on many of the recent Microsoft operating systems including Windows 8,8.1,10, Windows Server 2012 and others. It is also the core behind Microsoft Security Essentials, System Centre Endpoint Protection and other products. Attackers can trigger the vulnerability by email and instant message, even if the user doesn’t open it. Writing on Chromium Bugs, Ormandy said: “On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary) , visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (eg caches, temporary internet files, downloads (even unconfirmed downloads) , attachments, etc) is enough to access functionality in mpengine.” Supporting his warning about the severity of the bug, he said: “Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.” MsMpEng is so vast and complex with a multitude of handlers for dozens of esoteric formats that it creates a rich attack surface for attackers, he said.
