Microsoft's Malware Protection Engine Still Vulnerable to Malware
Google's Project Zero is still scratching at Microsoft's omnipresent Malware Protection Engine, which lays at the heart of several security features within the Windows OS, and it's still finding new flaws within the system's defenses. The newest, which is yet another remote code execution vulnerability, was fixed by an update on last Friday after it was discovered on June 7 by a security researcher named Tavis Ormandy.
The exploit was discovered in the same closed system, an unsandboxed x86 system emulator that Microsoft discreetly patched in late May this year. This isn't the first critical flaw in MsMpEng that Ormandy has discovered and forced Microsoft into patching the program in the recent months. In fact, it's the first since May.
Tavis Ormandy coded a custom fuzzer that unturned a cumulus corruption in the KERNEL32.DLL!VFS_Write API, according to a bug report he released on the 23rd of June after the patch was released on Windows OS-using systems.
"I suspect this has never been fuzzed before," Ormandy said in his bug report.
The unsandboxed x86 system emulator is commonly utilized to launch hidden files or files from unsecure sources, which could be executed remotely or portably. Ormandy noted that an apicall command that brings up a "large number of emulator apis" is opened remotely. Tavis Ormandy added that Microsoft said that the apicall command is exposed on purpose for several reasons. According to Microsoft, the flaw is there because MsMpEng doesn't correctly scan specially made files, which leads to memory failure.
"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," Microsoft warned in an advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Hackers can host the specially created file on the Internet and bait a target to the website, forcing MsMpEng to automatically scan and launch it when the site is visited by someone. A hacker can also easily deliver the vulnerability by email, and again start the exploit when MsMpEng automatically scans the machine.
"If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk," Microsoft said.
The Malware Protection Engine is just one of a package of security features by Microsoft. Others include Windows Defender, Microsoft Intune Endpoint, Protection, Microsoft Endpoint Protection, Microsoft Forefront Endpoint Protection.
Microsoft reps noted that updates will be automatically released to endpoints in most scenarios, and added that the vulnerability works only x86 or 32-bit versions of MsMpEng.
On Thursday, May 8, Microsoft released an update for the first MsMpEng exploit discovered by Tavis Ormandy and Project Zero's Natalie Silvanovich. The vulnerability was called the worst Microsoft exploit in recent history.
On May 25, Microsoft stealthily released a discrete patch for the first emulator problem in the Malware Protection Engine.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.