Old open source bug exposes Windows 10 PCs to hack via Windows Defender antivirus

  • Liam Tung (CSO Online)
  • 05 April, 2018 05:31

Google’s Project Zero researchers discovered a way to exploit how Windows Defender scans RAR archive files to compromise all supported versions of Windows for PCs and servers.  

Microsoft is pushing out a fix for a critical remote code execution flaw affecting Microsoft Malware Protection Engine, the software library responsible for scanning files in Microsoft’s Windows Defender antivirus and other security products.    

Microsoft’s advisory for the bug tracked as CVE-2018-0986 says the engine “does not properly scan a specially crafted file, leading to memory corruption” which could allow an attacker to take control of a Windows PC or server to install programs, modify data and create new accounts with full user rights.

Google Project Zero researcher Thomas Dullien, aka Halvar Flake, discovered that Microsoft introduced a critical bug in the Microsoft Malware Protection Engine or mpengine.dll within the tools it uses to inspect RAR, one of the many archive formats its antivirus products inspect. 

According to Dullien, Microsoft modified the open source code of the UnRar package for extracting files from RAR archives. The modification meant that all signed variables were made unsigned, in turn introducing a severe memory corruption vulnerability that allows an attacker to compromise the host. 

“This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code. @halvarflake noticed and got it fixed. Remote SYSTEM memory corruption,” wrote Tavis Ormandy, the Project Zero researcher who specializes in bugs affecting antivirus products. 

Dullien notes that the bug appears to have its roots in a critical UnRar issue affecting a RAR inspection component of Sophos antivirus in 2012 that was fixed in its product but apparently missed by or not reported to upstream RAR developers at the time.   

However, Dullien discovered last year that the issue remained unfixed in UnRar source code, which was also widely used in third-party software that could still be affected five years on. RAR developers issued a source code fix at the time that bumped up its latest version to 5.5.5 but Microsoft was using an older version in Windows Defender. 

“Inspection of mpengine.dll revealed that the code responsible for processing RAR archives appears to be a forked and modified version of the original unrar code; given that it still processes the VMSF_UPCASE filter (which was removed in unrar 5.0), it seems that the code is derived from a version of unrar older or equal than 4.2.4,” wrote Dullien.

“Interestingly, the issue discovered in CVE-2012-6706 (Sophos VMSF_DELTA, and in 2017 unrar) and other signedness issues in the RarVM::ExecuteStandardFilter function were fixed long ago (apparently without a report to upstream, most likely by simply turning the relevant variables from "signed" to “unsigned")."

Customers with real-time protection enabled could be exploited as soon as a user visits a page, opens an email or uses a file-hosting service that contains the specially crafted file, Microsoft warns. 

However, admins and users won’t have to manually install updates unless default configurations have been changed. 

“If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk,” Microsoft says. 

Besides Windows Defender for all supported versions of Windows, other affected products include Exchange Server 2013 and 2016, Forefront Endpoint Protection 2010, Microsoft Security Essentials, and Intune Endpoint Protection.