Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Severe CVE-2017-0290 in MsMpEng About to Be Patched

Just this morning, we wrote about the “worst Windows remote code exec in recent memory” discovered by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. The terrifying bug is now made public and has been identified as CVE-2017-0290. The bug was in the Microsoft Malware Protection Engine running in most of Microsoft’s anti-malware tools bundled with the operating system. As it turns out, the MsMpEng engine was over-privileged and un-sandboxed.

What is most surprising, however, is that Microsoft has succeeded to release an emergency patch in a security advisory.

Here is the list of affected products:

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender for Windows 7
  • Windows Defender for Windows 8.1
  • Windows Defender for Windows RT 8.1
  • Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
  • Windows Intune Endpoint Protection

More about CVE-2017-O290

Apparently, the MsMpEng engine could be accessed remotely via several critical, ubiquitous Windows services, such as Exchange and the IIS web server.

According to Google’s bug report,vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service”.

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.

As for the updates, they will be pushed automatically to the engine in the next two days, Microsoft says. The update addresses a flaw that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited CVE-2017-0290 could execute arbitrary code in the security context of the LocalSystem account and take control of the system, Microsoft adds.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.