Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Google Security Researcher Pops Microsoft's AV Defenses

In Response, Microsoft Has Patched Its Malware Protection Engine
Google Security Researcher Pops Microsoft's AV Defenses
Details of the flaw in Microsoft's Malware Protection Engine, first reported to Microsoft June 7.

A Google security researcher has once again found a potentially devastating vulnerability in Microsoft's Malware Protection Engine, the core component of anti-malware systems that ship with every Windows computer and server.

See Also: Webinar | Identity Crisis: Combating Microsoft 365 Account Takeovers at Scale

Microsoft patched the remote code execution flaw on Friday, but the finding once again highlights the danger of vulnerabilities in the very software that's designed to protect computers from intrusion.

The flaw was found by Tavis Ormandy, a bug hunter with Google's Project Zero who has a notable track record in finding software flaws in antivirus software.

Line of Defense

The Malware Protection Engine is the front-line guard for new files or executables that touch the operating system. It is incorporated into several Microsoft security applications, including Windows Defender, Security Essentials and Forefront Endpoint Protection.

Files are first run by an x86 emulator, which gives the engine a chance to see if it appears to do anything suspicious. For some reason, the x86 emulator doesn't run in a sandbox - an area that is isolated from the rest of the operating system. Sandboxes make it more difficult for attackers, because not only is a successful exploit needed to attack an application, another one - or several flaws - would be needed to escape the sandbox.

"This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers," Ormandy writes in an advisory. He wrote a fuzzer, which is the nickname for a tool for testing for software bugs. Ormandy immediately found a corruption flaw.

"I suspect this has never been fuzzed before," he writes.

Because files or executables have to pass through the Malware Protection Engine gateway, software vulnerabilities potentially means that attackers can get a foothold into the operating system.

Specially Crafted File

To exploit the vulnerability, an attacker would have to get the victim's computer to scan a specially crafted file with the Malware Protection Engine, Microsoft writes in an advisory.

"For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user," the company writes. "An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. An attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server."

Ironically, there's also increased danger if users have real-time protection turned on, which is, in theory, a good defense to have in place. "If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned," Microsoft writes.

Ormandy wrote proof-of-concept code, testcase.txt, that would crash the Malware Protection Engine. To prevent users from inadvertently crashing their computers, he encrypted it.

"Note that as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system," Ormandy writes. "The testcases have been encrypted to prevent crashing your Exchange server."

Yet Another Flaw

Just last month, Ormandy and a colleague, Natalie Silvanovich, found what he termed "the worst Windows remote code exec in recent memory" in the very same software (see Devastating Flaw Found in Microsoft's AV Engine).

Because the Malware Protection Engine has to be capable of scanning a variety of code, it's quite complex. Ormandy and Silvanovich found an issue with part of the engine that looks at file system or network activity involving JavaScript.

That component, called NScript, failed to stop attackers from passing on other objects. It wasn't sandboxed, either. A victim would not even have to open a rigged email or attachment designed to exploit the vulnerability. Other attack avenues for that issue would be tricking the user into clicking a link in a web browser or one sent via instant messaging.

Vulnerabilities such as the one found by Ormandy could cause widespread trouble if discovered by hackers or nation-states due to Microsoft's dominance in operating systems. Last month, upwards of 200,000 computers were infected with the WannaCry ransomware (see WannaCry Ransomware Outbreak Spreads Worldwide).

The computers were attacked using a leaked NSA exploit that targeted the Server Message Block protocol, which is used for file sharing. Microsoft issued a patch about a month before the exploit became public, but many organizations and users had not applied it.

Those who created WannaCry, which the U.S. and U.K. governments suspect is North Korea, turned it into a worm, which enables the ransomware to rapidly spread through networks (see British Security Services Tie North Korea to WannaCry).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.