Microsoft’s malware protection engine has (once again) crept into a critical gap. The bug allows attackers to execute remote code. An emergency patch for affected systems is already distributed. The gap slumbers just in a Windows function, which is supposed to protect the system from the intrusion of malicious software. This makes the case doubly spicy: On the one hand, injecting malicious code is very easy, on the other hand, attackers gain maximum privileges in one go and can completely take over the attacked system. Already an e-mail, a visited website or a started file download can be enough to exploit the gap – the user does not even have to be active and open a damaged file.
Microsoft has discovered a critical vulnerability in its Malware Protection Engine (MPE) that allows attackers to execute remote code. Currently, an emergency patch is already distributed by the Redmondern, which should make affected systems safe again.
To exploit the CVE-2017-11937 gap, attackers must move the MPE implemented in many Microsoft systems to scan a specially crafted file. This leads to a memory error, which in turn allows the execution of the malicious code.
The smuggling in of the prepared file can be done in many ways. For example, it is sufficient to deliver the file via an e-mail or in an instant messenger message. When downloading, this is usually scanned by the MPE. In addition, an attacker could also use hosting websites to launch an attack on the provider’s servers. Because during upload files on the shared location are also checked.
If real-time protection is enabled on the affected system, the attack can be done directly. If not, the attackers must wait for a periodic or manually triggered check.
Affected is the MPE in version 1.1.14306.0, which is installed in the Windows Defender, the Microsoft Security Essentials as well as in the Forefront Endpoint Protection and in Exchange Server. The update to the safe version 1.1.14405.2 is automatically distributed to the affected solutions.
Vulnerable virus scanner
In the past, Microsoft’s MPE has repeatedly made headlines due to serious security vulnerabilities. So the Redmond had to distribute already in May two emergency patches for their security solution. Even then, a manipulated file was enough to outsmart the MPE.