Just this morning, we wrote about the “worst Windows remote code exec in recent memory” discovered by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. The terrifying bug is now made public and has been identified as CVE-2017-0290. The bug was in the Microsoft Malware Protection Engine running in most of Microsoft’s anti-malware tools bundled with the operating system. As it turns out, the MsMpEng engine was over-privileged and un-sandboxed.
What is most surprising, however, is that Microsoft has succeeded to release an emergency patch in a security advisory.
Here is the list of affected products:
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Endpoint Protection
- Microsoft Forefront Security for SharePoint Service Pack 3
- Microsoft System Center Endpoint Protection
- Microsoft Security Essentials
- Windows Defender for Windows 7
- Windows Defender for Windows 8.1
- Windows Defender for Windows RT 8.1
- Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
- Windows Intune Endpoint Protection
More about CVE-2017-O290
Apparently, the MsMpEng engine could be accessed remotely via several critical, ubiquitous Windows services, such as Exchange and the IIS web server.
According to Google’s bug report, “vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service”.
On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.
As for the updates, they will be pushed automatically to the engine in the next two days, Microsoft says. The update addresses a flaw that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited CVE-2017-0290 could execute arbitrary code in the security context of the LocalSystem account and take control of the system, Microsoft adds.