A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption.
An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.
If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.
The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure.
Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security advisory was originally issued.
Affected Software
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
|
Antimalware Software |
Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290 |
|
Microsoft Forefront Endpoint Protection 2010 |
Critical |
|
Microsoft Endpoint Protection |
Critical |
|
Microsoft Forefront Security for SharePoint Service Pack 3 |
Critical |
|
Microsoft System Center Endpoint Protection |
Critical |
|
Microsoft Security Essentials |
Critical |
|
Windows Defender for Windows 7 |
Critical |
|
Windows Defender for Windows 8.1 |
Critical |
|
Windows Defender for Windows RT 8.1 |
Critical |
|
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703 |
Critical |
|
Windows Intune Endpoint Protection |
Critical |
Exploitability Index
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
How do I use this table?
Use this table to learn about the likelihood of code execution and denial of service exploits within 30 days of security bulletin release, for each of the security updates that you may need to install. Review each of the assessments below, in accordance with your specific configuration, to prioritize your deployment of this month's updates. For more information about what these ratings mean, and how they are determined, please see Microsoft Exploitability Index.
On Monday night, in an emergency update, Microsoft fixed the vulnerability in its security packages. This upgrade will be automatically fetched and installed by the scanner engine on your machines, quietly closing the embarrassing security hole over the next two days.
"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file," explained Redmond's security team.
"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
"Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration."
The programming blunder – CVE-2017-0290 – was discovered and reported to Redmond by Google Project Zero's Natalie Silvanovich and Tavis Ormandy. The latter described the bug as "the worst Windows remote code [execution] in recent memory. This is crazy bad."
Ahead of tonight's drama, Ormandy tweeted about the bug's existence on Friday evening, and, understandably, gave no further details because at the time there was no patch yet available:
.@natashenka Attack works against a default install, don't need to be on the same LAN, and it's wormable. ?
— Tavis Ormandy (@taviso) May 6, 2017
Sources familiar with the matter told The Reg that Ormandy contacted the Windows giant before tweeting.
It was feared this vulnerability – even though details were scant – would remain unpatched for potentially weeks or months. Earlier, we asked Microsoft if it could share a timetable for the fix's release so that IT admins could plan downtimes and update cycles.
In response, Microsoft spokespeople told us: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
So, basically, jog on, nerds. But as it turns out Microsoft was faster off the ball than expected. "Still blown away at how quickly Microsoft Security responded to protect users," said Ormandy on Monday. "I can't give enough kudos. Amazing."
An easy way for attackers to exploit the scanner bug would be to send malicious malware-laden files to a victim as an attachment on an email or instant message, or an automatic download from a webpage, which would be automatically scanned on arrival – and trigger an infection.
Responsible disclosure
Ormandy's early warning of the bug, just before the weekend, sparked a torrent of whining from some in the infosec world, who felt the researcher was playing his own game with the news.
Ormandy has done this sort of teasing before. Twice in the past few months, he has warned of flaws in the LastPass password manager. In both cases, the software maker's engineers spent their weekends getting security updates built and out the door.
But there is nothing irresponsible about such disclosure. To be responsible, researchers have to inform the writers of the flawed software with full details and preferably a proof of concept for exploiting it. Once that's done, they can talk about the flaw tangentially, but not give clues as to how it works for fear of alerting exploit writers and malware-slinging scumbags.
That didn't stop many people online accusing the duo of being reckless – for, one, warning of the existence of a bug early, and causing worry among IT managers and normal folk – and, two, for doing it on a Friday night when everyone has gone home or to the bar.
On that first point, the complainers are dead wrong – in some cases, going public forces companies into action. Over the years we've seen multiple examples of organizations getting word of flaws and dragging their feet for months, or even years, before fixing issues that malware developers may already have spotted.
On the second point, well, we hate to break it to you but all software has bugs – especially Microsoft's code. There are any number of horrible remote code execution flaws in Windows and Office right now, sitting there waiting for white and black hats to find and exploit. Being told, yes, there is definitely a bad bug lurking in among the ones and zeroes doesn't make you less secure.
Short of something overly drastic, there isn't really anything you can do until the patch lands – it just would be helpful if Microsoft gave folks a heads up.
If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your organization
— Natalie Silvanovich (@natashenka) May 6, 2017
The Windows maker should be counting its blessings. It just received a free flaw report that could have cost them a lot in bug bounties, and was able to quietly, on a Monday evening while most of the Western world was asleep or commuting home, slip out a fix.
Sources : Microsoft , Theregister