[German]Microsoft's Malware Protection Engine has a critical memory corruption vulnerability that allows remote code execution. Microsoft released a security advisory on December 6, 2017 and says corresponding security updates are available. Here are what I found out till now. [Update: There was a 2nd critical vulnerability CVE-2017-11940 in Microsoft's Malware Protection Engine.]
Advertising
Critical vulnerability (CVE-2017-11937)
Thomas Gavin from MSRC Vulnerabilities and Mitigations Team has reported the vulnerability CVE-2017-11937 in Microsoft Malware Protection Engine.
A remote user can create a specially crafted file that, when scanned by the target Microsoft Malware Protection Engine, will trigger a memory corruption error and execute arbitrary code on the target system. The code will run with LocalSystem privileges.
Affected are Microsoft Endpoint Protection, Microsoft Exchange Server, Microsoft Forefront Endpoint Protection, Microsoft Security Essentials and Windows Defender (or in other words all Windows versions that includes Defender).
Advertising
Microsoft promises an update
Microsoft has send me an e-mail promising a fix for CVE-2017-11937 and announcing an update for.
Critical Windows 7 for 32-bit Systems Service Pack 1
Critical Windows 7 for x64-based Systems Service Pack 1
Critical Windows 8.1 for 32-bit systems
Critical Windows 8.1 for x64-based systems
Critical Windows RT 8.1
Critical Windows 10 for 32-bit Systems
Critical Windows 10 for x64-based Systems
Critical Windows 10 Version 1511 for 32-bit Systems
Critical Windows 10 Version 1511 for x64-based Systems
Critical Windows 10 Version 1607 for 32-bit Systems
Critical Windows 10 Version 1607 for x64-based Systems
Critical Windows 10 Version 1703 for 32-bit Systems
Critical Windows 10 Version 1703 for x64-based Systems
Critical Windows 10 Version 1709 for 32-bit Systems
Critical Windows 10 Version 1709 for x64-based Systems
Critical Windows Server 2016
Critical Windows Server 2016 (Server Core installation)
Critical Windows Server, version 1709 (Server Core Installation)
Critical Microsoft Endpoint Protection
Critical Microsoft Exchange Server 2013
Critical Microsoft Exchange Server 2016
Critical Microsoft Forefront Endpoint Protection
Critical Microsoft Forefront Endpoint Protection 2010
Critical Microsoft Security Essentials
The details may be found in Security Tech Center. Note: It's important to search for CVE-2017-11937.
I've updated the article. In the first version I wrote, that I haven't found updates, linked within Microsoft Update Catalog. But I catched the wrong packages, the updates has been deleted. Updates for the Microsoft Malware Protection Engine are delivered with signature updates.
With Microsoft Security Essentials I have currently the anti-malware client version: 4.10.209.0, Module version 1.114405.2, Defender reports 4.12.16299.15 (Windows 10 V1709).
In Windows Update nothing is found under Windows 7 and Windows 10 (except for a definition update KB2267602). So I have no idea, whether my machine has been updated or not.
I've created this thread at Askwoody.com – perhaps we will find out more details using the crowd.
Update: There is a new module version
I have now booted a Windows 7 machine that hasn't been online for 3 days. There I see the module version: 1.1.14306.0 and the Antimalware client version: 4.10.209.0. So it seems, that Microsoft Security Essentials and Windows Defender has updated itself with a new version of Malware Protection Engine. Addendum: The 2nd machine has been also updated to module version: 1.1.14405.2.
My fault – guess I've been lured on the ice by the links in the Security Center, because Defender and MSE are updating without using Windows Update.
Update: A 2nd vulnerability CVE-2017-11940
I was abroad, so I didn't noticed a 2nd security advisory Microsoft has send me this night. There has been a 2nd vulnerability CVE-2017-11940 detected in Microsoft's Malware Protection Engine, which allows a Remote Code Execution. Here are the notification text from Microsoft:
Critical Security Updates
============================
CVE-2017-11940
Critical Windows 7 for 32-bit Systems Service Pack 1
Critical Windows 7 for x64-based Systems Service Pack 1
Critical Windows 8.1 for 32-bit systems
Critical Windows 8.1 for x64-based systems
Critical Windows RT 8.1
Critical Windows 10 for 32-bit Systems
Critical Windows 10 for x64-based Systems
Critical Windows 10 Version 1511 for 32-bit Systems
Critical Windows 10 Version 1511 for x64-based Systems
Critical Windows 10 Version 1607 for 32-bit Systems
Critical Windows 10 Version 1607 for x64-based Systems
Critical Windows 10 Version 1703 for 32-bit Systems
Critical Windows 10 Version 1703 for x64-based Systems
Critical Windows 10 Version 1709 for 32-bit Systems
Critical Windows 10 Version 1709 for x64-based Systems
Critical Windows Server 2016
Critical Windows Server 2016 (Server Core installation)
Critical Windows Server, version 1709 (Server Core Installation)
Critical Microsoft Endpoint Protection
Critical Microsoft Exchange Server 2013
Critical Microsoft Exchange Server 2016
Critical Microsoft Forefront Endpoint Protection
Critical Microsoft Forefront Endpoint Protection 2010
Critical Microsoft Security Essentials
Microsoft has documented CVE-2017-11940 here. It's sufficient, to let the scanner read a prepared document, to trigger the vulnerability. I assume, that this vulnerability has been fixed also with the latest scan engine update.
Advertising
Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.14405.2
Antivirus definition: 1.259.16.0
Antispyware definition: 1.259.16.0
Network Inspection System Engine Version: 2.1.14202.0
Network Inspection System Definition Version: 118.2.0.0
Win Defender as of 7.12.2017. 1000CET. Win8.1×64
Perhaps not exactly related but I spotted recently that daily definition updates started exceeding 20-30 MB – whereas only until week ago or so they were usually 150 kB – 2 MB.