Microsoft closes critical vulnerability CVE-2017-8558 in Malware Protection Engine (June 23, 2017)

[German]Microsoft has released a critical security update on June 23, 2017, for Microsoft Malware Protection Engine (MsMpEng). This update addresses vulnerability CVE-2017-8558. Here are a few details.


A cryptical Microsoft mail

Yesterday (June 23, 2017) evening at 8:13 PM I received a short e-mail from Microsoft with the following content.

Title: Microsoft Security Update Releases
Issued: June 23, 2017

The following CVE was released on June 23, 2017:


– Impact: Remote Code Execution
– Version Number: 1.0


No more details or links was given, so I decided to let things rest till next morning.

CVE-2017-8558 Microsoft Malware Protection Engine

After searching the Internet for CVE-2017-8558, I read, that this Common Vulnerabilities and Exposures addressed a vulnerability in Microsoft Malware Protection Engine. CVE-2017-8558 describes a critical vulnerability, where attackers can use remote code execution via a network.

Symantec has this short article, titled 'Microsoft Malware Protection Engine CVE-2017-8558 Remote Code Execution Vulnerability', that sheds a bit light to that case. Tavis Ormandy from Google Project Zero has detected a vulnerability in Microsoft's Malware Protection Engine (MsMpEng). MsMpEng is used within the following security products.

Microsoft Windows Intune Endpoint Protection 0
Microsoft Windows Defender 0
+ Microsoft Windows 10 for 32-bit Systems 0
+ Microsoft Windows 10 for x64-based Systems 0
+ Microsoft Windows 10 version 1511 for 32-bit Systems 0
+ Microsoft Windows 10 version 1511 for x64-based Systems 0
+ Microsoft Windows 10 Version 1607 for 32-bit Systems 0
+ Microsoft Windows 10 Version 1607 for x64-based Systems 0
+ Microsoft Windows 10 version 1703 for 32-bit Systems 0
+ Microsoft Windows 10 version 1703 for x64-based Systems 0
+ Microsoft Windows 7 for 32-bit Systems SP1
+ Microsoft Windows 7 for x64-based Systems SP1
+ Microsoft Windows 8.1 for 32-bit Systems 0
+ Microsoft Windows 8.1 for x64-based Systems 0
+ Microsoft Windows RT 8.1
+ Microsoft Windows Server 2016
Microsoft Security Essentials 0
Microsoft Forefront Endpoint Protection 2010 0
Microsoft Forefront Endpoint Protection 0
Microsoft Endpoint Protection 0

Tavis Ormandy has detected the vulnerability

Tavis Ormandy has posted this tweet on June 7, 2017 with a hint to a vulnerability.

The details may be found within the Chromium bug tracker. Tavis posted also a test case.

I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if this was intentionally exposed, and they replied "The apicall instruction is exposed for multiple reasons", so this is intentional.

This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers.

I took a quick stab at writing a fuzzer and immediately found heap corruption in the KERNEL32.DLL!VFS_Write API, I suspect this has never been fuzzed before.

More details

Then I found at the information, that library file mpengine.dll was vulnerable. Ormandis could use further API calls. In an unkonwn function he found a critical vulnerability. This vulnerability allows to create a buffer overflow, so an attacker can misuse Microsoft's Malware Protection Engine up to module version 1.1.13804.0 (32 bit) for remote code execution via network. Later I found Microsoft's CVE-2017-8558 page, giving more details.

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Vulnerability closed via update

Microsoft has closed CVE-2017-8558 with an update on June 23, 2017. Module version 1.1.13903.0  of Microsoft's Malware Protection Engine isn't affected anymore. All Microsoft antivirus products (Windows Defender, Microsoft Security Essentials und Forefront Protection) has been updated automatically (those products doesn't depends on Windows Update).


I checked my Microsoft Security Essentials – which reported module version 1.1.13903.0 for Microsoft's Malware Protection Engine auf. It's the next critical fix for MsMpEng in a row of fixes within a few weeks.

Similar articles:
MS Malware Protection Engine Update May 25, 2017
Microsoft fixes critical Malware Protection Engine vulnerability
Windows has a critical wormable vulnerability

Cookies helps to fund this blog: Cookie settings

This entry was posted in computer, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *