Microsoft Patches Critical Malware Protection Engine Vulnerability

Windows

If you've tinkered with the settings to prevent these automatic updates, however, you should install this patch to make sure an attacker can't exploit this now-public vulnerability on your system.

On May 8, Microsoft released an out-of-band fix for the problem, demonstrating unusual swiftness in addressing a serious issue with its software.

Microsoft has explained that if the attacked system has real time protection activated on it, the exploit is immediately triggered when the infected file or files are scanned.

In fact Tavis Ormandy, a vulnerability researcher at Google, said in a tweet "This is insane bad". Further, mpengine contains a component called NScript that evaluates filesystem and network activity that looks like JavaScript for malicious behavior.

The company said in that security advisory that attackers could exploit the vulnerability to "install programs; view, change, or delete data; or create new accounts with full user rights".

Over the weekend, Google's Project Zero researcher Tavis Ormandy tweeted about discovering what he referred to as "the worst Windows remote code exec in recent memory".

Microsoft released the out of band patch Monday evening and revealed the issue (CVE-2017-0290) was in the Microsoft Malware Protection Engine and enables attackers to perform remote code execution (RCE) or trigger a denial of service attack through type confusion and application crashes. Microsoft actually released an emergency update on Monday just hours ahead of today's regularly scheduled "Patch Tuesday" (the 2nd Tuesday of each month) to fix a risky flaw present in most of Microsoft's anti-malware technology that's being called the worst Windows bug in recent memory.

The pair discovered that, NScript, the engine's JavaScript interpreter, doesn't properly validate the properties of messages it scans.

They claimed that vulnerabilities in the Microsoft Malware Protection Engine "are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service". NScript isn't sandboxed and runs at a very high privilege level, and it's used to evaluate untrusted code by default on nearly every modern Windows system.

Users don't have to take any action if their security products are set to the default, which will update their engines and definitions automatically, Microsoft said. "This is as surprising as it sounds".

The vulnerability presents considerable trouble for Windows users-Windows Defender is meant to keep users safe, but trusting the Microsoft-developed program that comes installed by default on all Windows machines actually left users at risk.

Desktop and server Windows deployments might be at risk, especially if real-time protection is turned on in the affected security products.

According to the Project Zero team, the issue was in Microsoft's anti-malware protection engine.

Related:

Comments

Latest news

Akshay Kumar talks about 'Toilet: Ek Prem Katha' with PM Modi
The actor also took Toilet - Ek Prem Katha from reel to real in March, helping dig two pit toilets for sanitation in Madhya Pradesh .

Second annual Hope 1 in 5 Marathon raises awareness of mental health
Each of us can help change the way the world views mental health by helping create understanding and offering hope. Life is a series of choices, and our lives are often defined by those we make - and others that are made for us.

Saudi Energy Minister Says OPEC Deal May Be Extended Beyond 2017
OPEC and non-OPEC producers are widely expected to announce an extension to cuts in oil output in a meeting on May 25. The price of Brent crude is now trading at $49.12 a barrel while Western Texas Intermediate is at $46.32.

Nigerian Schoolgirls Abducted by Boko Haram Three Years Ago Have Been Freed
President Muhammadu Buhari said in a statement that he will receive the released schoolgirls in Nigeria's capital, Abuja . Many of them could find their ways back to the terrorists camps from where they could unleash terror against the country.

Other news