​Microsoft races out patch for dangerous Windows anti-malware flaw

Microsoft has plugged a hole affecting all of its security products that could be remotely exploited by a user just opening a malicious email.

Microsoft delivered the patch today, just three days after Google’s Project Zero members Natalie Silvanovich and Tavis Ormandy informed Microsoft about a remotely exploitable flaw in the Microsoft Malware Protection Engine. The component scans Windows machines for malware.

The engine powers several Microsoft security products, including Windows Defender, its free and default anti-malware product for Windows, and several enterprise products. Patches have been released for Defender for Windows 7, Windows 8.1, and several versions of Windows 10, as well as Windows Server 2016. It’s also patched Forefront Endpoint Protection, Microsoft Security Essentials, and Windows Intune Endpoint Protection.

The patch’s release outside of Microsoft’s usual monthly Patch Tuesday update cycle suggests Microsoft considered this an extremely severe issue.

As Ormandy notes on the Project Zero database, vulnerabilities in the Microsoft Malware Protection Engine (MsMpEng) “are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.”

An attacker could exploit this flaw by having the malware protection engine scan a specially crafted file, which could be delivered by email, a website, or instant message. The flaw can be exploited after the malware scan has run, so, if real-time protection is enabled, the exploit would be immediate. Using the flaw, an attacker could execute their code in a LocalSystem account, which would allow them to install programs, manipulate data, or create new accounts with full user rights.

“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption,” Microsoft notes.

Ormandy today said he was “blown away” by the speed of Microsoft’s patch, but he less praise for the way Microsoft’s designed its malware scanning engine. He tweeted on Friday, without revealing specifics or the affected product, that he and Silvanavich had found “the worst Windows remote code exec in recent memory. This is crazy bad.”

The pair discovered that, NScript, the engine’s JavaScript interpreter, doesn't properly validate the properties of messages it scans.

“The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers,” he wrote.

“NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.”

Microsoft notes in its advisory that in most cases users and admins will not have to take any actions to install the patch since its anti malware products by default receive updates from Microsoft, such as new malware signatures.

Answering why no action is required, Microsoft explains: “In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner,” Microsoft explains.

“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.”

Admins and users should check that the Microsoft Malware Protection Engine version is 1.1.10701.0 or later, which are not affected by this bug.