On May 8th 2017 , Gooleg Project Zero team researcher ‘Tavis Ormandy’ tweety about a weakness discovery for Windows platform.
Roughly about 8 hours of this tweet from the researcher. Microsoft responded to all of it’s Enterprise Customers with a lengthy email like the one below, I know this because our Cyber Team which I am part of also received it and even though I had read the tweet 8 hours ago, we were still scrambling to find the impact radius of this flaw.
First, before we dive into it, let me tell you what is a RCE vulnerability , RCE stands for Remote Code Execution and this RCE was discovered in MS Malware Protection Engine which by default runs on newer Operating Systems of Microsoft.
MS email alerts to Enterprise Customers.
What is the purpose of this alert?
This alert is to notify you that Microsoft has released Security Advisory 4022344 – Security Update for Microsoft Malware Protection Engine – on May 8, 2017, to inform customers about an important update to the Microsoft Malware Protection Engine.
Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.
The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section below for a list of affected products.
This security advisory applies to the following software:
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Forefront Security for SharePoint Service Pack 3
- Microsoft System Center Endpoint Protection
- Microsoft Security Essentials
- Windows Defender for Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
- Windows Defender for Windows RT 8.1
- Windows Defender for Windows 7, and Windows Server 2008 R2
- Windows Intune Endpoint Protection
Microsoft Malware Protection Engine Version Details
Last version of the Microsoft Malware Protection Engine affected by this vulnerability: 1.1.13701.0
First version of the Microsoft Malware Protection Engine with this vulnerability addressed: Version 1.1.13704.0
If your version of the Microsoft Malware Protection Engine is equal to or greater than 1.1.13704.0, then you are not affected by this vulnerability and do not need to take any further action.
For more information on how to verify the engine version number that your software is currently using, see the section, “Verifying Update Installation”, in Microsoft Knowledge Base Article 2510781.
Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.
Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.
We encourage you to review Microsoft Security Advisory 4022344 for an overview of the issue, details on affected components, suggested actions, answers to frequently asked questions (FAQ), and links to additional resources.
Coming back to this RCE flaw in Maware Engine and how it works out from attacker point of view in exploiting the vulnerability.
Well for it to work, The attacker needs to send a specially crafted file to the user which can trick end-users into visiting a website hosting the file e.g. similar to phishing attack (can also be a file share location).
what this crafted file would do is to cause the MS Malware Protection Engine, which is part in Windows Defender, Security Eessentials to scan this file and automatically thus causing the code to execute (RCE). Thus hijacking the LocalSystem account and take control of the system.
Microsoft has released a technet security publication explaining more about it ‘https://technet.microsoft.com/en-us/library/security/4022344.aspx#ID0E3AAC’
Security Researcher at Microsoft ‘Tal be’ery’ doing a PoC using the code developed by Google Project Zero team