Microsoft fixes serious vulnerability in Defender found by Google
Google has found a serious vulnerability in the engine for its security products in Windows, such as Defender. The vulnerability allows remote code execution on systems. Microsoft has released an update for the Malware Protection Engine.
According to Microsoft, the update fixes vulnerability cve-2017-0290 in the Malware Protection Engine that could allow an attacker to execute arbitrary code with LocalSystem account privileges, which could allow a complete takeover of a system. The vulnerability was found by Google Project Zero, which deploys security experts to find zero-day vulnerabilities.
Tavis Ormandy of the project reports that vulnerabilities in the engine, the MsMpEng, are among the most serious vulnerabilities possible in Windows, due to the elevated privileges, accessibility and ubiquity of the service. The engine is the foundation for Defender, Security Essentials and Endpoint Protection. These are versions of the engine from 1.1.10701.0 and later, which affect Windows 7, 8, 8.1, 10, Windows Server 2012, and Windows Server 2016.
MsMpEng runs without sandboxing and can be accessed remotely without authentication via various Windows services such as Exchange and IIS. More precisely, the vulnerability is a validation error of a component of mpengine, which in turn is the central part of the MsMpEng. That component, called Nscript, is a JavaScript interpreter that Microsoft uses by default with every version of Windows to evaluate suspicious code.
Ormandy reported last weekend via Twitter that he and Natalie Silvanovich of Project Zero had found a ‘crazy bad’ leak in Windows. Without going into too much detail, he already said that attacks work on standard installed Windows systems that do not have to be on the same local network. In addition, his attacks are carried out with worm malware, he indicated. After publishing the details, he gave Microsoft compliments for the quick response.
Windows users should not need to do anything for the update, but Microsoft recommends verifying that the Microsoft Malware Protection Engine has been updated to version 1.1.13704.0 or later. If not, users will still have to manually apply the update.