Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development
Devastating Flaw Found in Microsoft's AV Engine
Remote Execution Possible Via a Single EmailMicrosoft quickly fixed a startling vulnerability in its anti-malware engine, once again demonstrating that the very applications designed to thwart hackers sometimes can actually easily let them in.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The first tip-off to the problem was tweeted by Tavis Ormandy, a bug hunter with Google's Project Zero, a group that has compiled a stunning track record of finding dangerous vulnerabilities. He found the bug with fellow researcher Natalie Silvanovich.
"I think @natashenka and I just discovered the worst Windows remote code exec in recent memory," he writes. "This is crazy bad. Report on the way."
The flaw was within Microsoft's Malware Protection Engine, a complex component that watches all activity in a computer's file system for signs of malicious activity. Like many anti-malware engines, it has deep and wide access to the operating system, which makes remotely executable software flaws especially dangerous.
Microsoft said on May 8 that it has engineered a patch. Most organizations should see the patch automatically installed within 48 hours due to the built-in update mechanism.
"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file," according to Microsoft's advisory. "An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system."
Two-Day Window
The up to two days it takes for a patch to be automatically delivered is a rather large window given the nature of this flaw, but administrators can patch manually. In a post, Ormandy and Silvanovich describe why this flaw is so bad.
Because the Malware Protection Engine is in charge of scanning the file system, it has far-reaching access. Conversely, it means attackers can reach the engine minus any interaction by the user, even by just sending a single email.
The core scanning and analysis component, called Mpengine, "is a vast and complex attack surface, comprising handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on," the researchers write. "All of this code is accessible to remote attackers."
There's a component of Mpengine, called NScript, that is responsible for looking at filesystem or network activity that involves JavaScript, they write. For some reason, Microsoft did not isolate NScript.
"This is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code by default on all modern Windows systems," they write. "This is as surprising as it sounds."
They found that a function within NScript failed to validate a message string, allowing an attacker to pass on other arbitrary objects. No user interaction is required if real-time protection is enabled. In that mode, the engine automatically scans files.
Merely sending an email to someone could be used to trigger an exploit. The victim doesn't even have to open the email or an attachment. Visiting a link in a web browser or one sent via instant messaging is another attack path, they write.
Ormandy writes on Twitter that the attack will work on default installations of Windows, and it doesn't have to be executed on the same LAN. It's also possible to make the exploit wormable, or self-spreading.
Products Affected
In its advisory, Microsoft says the flaw affects Forefront Endpoint Protection 2010, Endpoint Protection, Forefront Security for SharePoint Service Pack 3, System Center Endpoint Protection, Security Essentials and Intune Endpoint Protection. It also affects Defender on Windows 7, 8.1, RT 8.1, Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016 and Windows 10 1703.
"Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security advisory was originally issued," the company notes.