Microsoft just patched a very dangerous security flaw in Windows

Posted on Tuesday, May 09 2017 @ 13:54 CEST by Thomas De Maesschalck
MS logo
Google Project Zero security researcher Tavis Ormandy and Natalie Silvanovich discovered what they claim may be the worst Windows remote code execution exploit in recent memory. Ironically, the bug resides in the Malware Protection Engine service of recent versions of Windows, including Windows 7, 8.1 and 10, as well as security software from Microsoft.

Details on how it works and the severity of the bug can be read at Chromium. The vulnerability works on a default install, is exploitable via the Internet and is wormable.

The exploit provides system privilege level access and is surprisingly easy to perform as it does not require user action. The Google researchers say users can get infected by visiting a website, by receiving files via instant messaging or simply by receiving an e-mail. Reading the infected e-mail or opening attachments is not necessary because the Malware Protection service automatically inspects all system file system activity.
MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITYSYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.

Google's Project Zero gives software vendors a 90-day deadline before bugs are made public but fortunately Microsoft handled this issue very rapidly. A patch for the Malware Protection Engine was released yesterday, you can check the security advisory over here.
Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
In a follow up comment on Twitter, Ormandy said he's blown away at how fast Microsoft handled this security crisis:

Loading Comments