Microsoft's own antivirus software made Windows 7, 8.1, RT and 10 computers, as well as Windows Server 2016 more vulnerable.

Microsoft has just released an out-of-band security update to patch the crazy bad bug discovered by a pair of Google Project Zero researchers over the weekend.

Security researchers Tavis Ormandy announced on Twitter during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered "the worst Windows remote code [execution vulnerability] in recent memory."

Natalie Silvanovich also published a proof-of-concept (PoC) exploit code that fits in a single tweet.

The reported RCE vulnerability, according to the duo, could work against default installations with "wormable" ability – capability to replicate itself on an infected computer and then spread to other PCs automatically.

According to an advisory released by Microsoft, the remotely exploitable security flaw (CVE-2017-0290) exists in Microsoft Malware Protection Engine (MMPE) – the company's own antivirus engine that could be used to fully compromise Windows PCs without any user interaction.

List of Affected Anti-Malware Software

Eventually, every anti-malware software that ship with the Microsoft's Malware Protection Engine are vulnerable to this flaw. The affected software includes:

  • Windows Defender
  • Windows Intune Endpoint Protection
  • Microsoft Security Essentials
  • Microsoft System Center Endpoint Protection
  • Microsoft Forefront Security for SharePoint
  • Microsoft Endpoint Protection
  • Microsoft Forefront Endpoint Protection

Microsoft's Defender security software comes enabled by default on Windows 7, 8.1, RT 8.1, and Windows 10, as well as Windows Server 2016. All are at risk of full remote system compromise.

Remote Code Execution Flaw in Microsoft's Malware Protection Engine

The flaw resides in the way the Microsoft Malware Protection Engine scan files. It is possible for an attacker to craft a malicious file that could lead to memory corruption on targeted systems.

Researchers have labeled the flaw as a "type confusion" vulnerability that exists in NScript, a "component of mpengine that evaluates any filesystem or network activity that looks like JavaScript," which fails to validate JavaScript inputs.
"To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds," Google security researchers explained in a bug report posted on the Chromium forum.
Since antivirus programs have real-time scanning functionality enabled by default that automatically scans files when they are created, opened, copied or downloaded, the exploit gets triggered as soon as the malicious file is downloaded, infecting the target computer.

The vulnerability could be exploited by hackers in several ways, like sending emails, luring victims to sites that deliver malicious files, and instant messaging.
"On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on," researchers explained.
"This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc.) is enough to access functionality in mpengine."
The injected malicious payload runs with elevated LocalSystem level privileges that would allow hackers to gain full control of the target system, and perform malicious tasks like installing spyware, stealing sensitive files, and login credentials, and much more.

Microsoft responded to the issue very quickly and comes up with a patch within just 3 days, which is very impressive. The patch is now available via Windows Update for Windows 7, 8.1, RT and 10.

The vulnerable version of Microsoft Malware Protection Engine (MMPE) is 1.1.13701.0, and the patched version is 1.1.13704.0.

By default, Windows PCs automatically install the latest definitions and updates for the engine. So, your system will install the emergency update automatically within 1-2 days, but you can also get it installed immediately by pressing 'Check Update' button in your settings.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.