Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw
Microsoft quietly patched a critical vulnerability Wednesday in the Malware Protection Engine. The vulnerability was found May 12 by Google’s Task Zero team, which said an attacker could have crafted an executable that when processed by the Malware Protection Engine’s emulator could permit remote code execution.
Unlike May 9 emergency patch so that Google researchers called the worst Windows susceptibility current memory, this week’s bug was a quiet fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft. The prior zero-day (CVE-2017-0290) was also in the Microsoft Malware Protection Engine, using almost all of Microsoft’s antimalware offerings bundled up with Windows.
“MsMpEng includes a full system x86 emulator that can be used to execute any untrusted documents that look like PE executables. The emulator operates as NT AUTHORITY\SYSTEM and isn’t sandboxed, ” Ormandy wrote. “Browsing the set of win32 APIs that the emulator supports, I observed ntdll! NtControlChannel, an ioctl-like routine which allows emulated code to control the emulator. ”
That exposed the MsMpEng engine to a number of different problems such as giving assailants the ability to perform various input/output control instructions.
“Command 0x0C allows you to parse arbitrary-attacker handled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s)… Control 0x12 allows you to load additional “microcode” that can replace opcodes… Several commands allow you to change execution parameters, arranged and read scan features and UFS metadata. This kind of seems like a privateness leak at least, as an attacker can concern the research attributes you set and then obtain it via scan effect, ” Ormandy wrote.
Equally, Microsoft and Google performed not return requests for comment.
“This was possibly an extremely bad susceptibility, but probably not as easy to use as Microsoft’s earlier zero days, patched just a couple weeks back, ” said Udi Yavo, co-founder, and CTO of enSilo, in an interview with Threatpost.
The reality the MsMpEng isn’t sandboxed is also notable, said Yavo. He said most Windows applications such as Microsoft Edge browser are sandboxed. That means an adversary targeting Edge would have to exploit a vulnerability in Edge and then escape the sandbox to cause harm. “MsMpEng is not sandboxed, interpretation if you can use a vulnerability there is actually game over, ” Yavo said.
Ormandy notes another unique aspect of this bug in Microsoft’s Malware Protection Engine. “The emulator’s job is to emulate the customer’s CPU. But, oddly Ms has given the emulator an extra instruction that permits API calls. It’s not clear why Microsoft creates special instructions for the emulator. If you feel that noises crazy, you’re not exclusively, ” he wrote.
Ms did not issue a security advisory regarding this patch, as it performed for the previous zero-day. Users don’t have to take any action if their security products are set to the default, which will upgrade their engines and descriptions automatically.