[German]Microsoft’s Malware Protection Engine has a critical vulnerability (CVE-2018-0986). All supported Windows versions are affected. Microsoft has released a security update for the affected products.
Which products are affected?
The Malware Protection Engine is included in Windows Defender, Microsoft Security Essentials, Microsoft Intune Endpoint and Microsoft Forefront Endpoint 2010, all of which are affected by the CVE-2018-0986 vulnerability. Microsoft Exchange Server 2013 is also affected. Since Windows Defender runs on all currently supported Windows systems, all Windows systems from Windows 7 to Windows 8.1 to Windows 10 and the Windows Server counterparts are affected.
Remote Code Execution flaw (CVE-2018-0986)
The critical vulnerability Microsoft Malware Protection Engine Remote Code Execution Vulnerability is documented in CVE-2018-0986. There is a vulnerability that allows remote code execution. To do this, a specially designed file must be placed under the Microsoft Malware Protection Engine. This is not scanned properly, resulting in damage to the memory.
An attacker who successfully exploits this vulnerability can execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker can then install programs, view, modify or delete data, or create new accounts with full user rights.
To exploit this vulnerability, the prepared file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways an attacker can place such a specially crafted file in a location scanned by the Microsoft Malware Protection Engine.
- For example, an attacker could use a Web site to deliver a specially crafted file to the victim’s system, which is scanned by the user when the Web site is viewed.
- An attacker can also deliver a specially crafted file via an email message or in an instant messenger message that is scanned when the file is opened.
- In addition, an attacker can use websites that accept or host user-provided content to upload a specially crafted file to a shared location scanned by the Malware Protection Engine on the hosting server.
If the affected antimalware software has real-time protection enabled, the Microsoft Malware Protection Engine automatically scans files. This causes the vulnerability to be exploited as soon as the specially created file is scanned.
If real-time scanning is not enabled, the attacker must wait for a scheduled scan to take advantage of the vulnerability. All systems running an affected version of the anti-malware software are primarily at risk.
Microsoft offers an update
The update is provided for affected versions of the Microsoft Malware Protection Engine. It fixes the vulnerability described above by correcting the way the Microsoft Malware Protection Engine scans specially created files.
Note: Microsoft writes, usually, no action is required to install updates for the Microsoft Malware Protection Engine. The integrated mechanism for automatic detection and provision of updates means that the update is applied within 48 hours of its release. The exact time frame depends on the software used, the Internet connection and the configuration of the infrastructure.
Updating Microsoft Security Essentials (MSE) manually
Addendum: The above Microsoft statement ‘everything works automatically’ isn’t true for Microsoft Security Essentials (MSE). I’ve checked it, no update was delivered automatically here. I had to update the MSE via Windows Update. An optional definition update for Microsoft Security Essentials – KB2310138 (definition 1.265.27.0) was offered there. After installing this definition update, the module version of the Microsoft Anti-Malware Engine was set to 1.1.14700.5.
Just for the record: Microsoft states in a security advisory that the CVE-2018-0986 is a critical vulnerability. It is claimed that the malware scan engine will be updated automatically. With the MSE, however, I needed to install an optional definition update to receive the new module version. It’s always fun to be part of the Microsoft update circus.
BTW: The nasty insides
Wajt went wrong at Microsoft? The team at The Register researched it here. The bug in the scan engine was discovered by Halvar Flake of Google project Zero and published in the Chromium project. Flake discovered the vulnerability in unpacking routines and tried to see where it came from. The bug could be traced back to an older version of unrar, an open source archiving program for unpacking .rar archives.
Apparently Microsoft has integrated the code of this open source version of unrar into the antivirus engine of its operating system. This forked code was then modified so that all signed integer variables were converted into unsigned variables. However, this led to subsequent problems in mathematical comparisons. This in turn made the software vulnerable to memory errors that could crash the antivirus package or allow malicious code to run.
This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code. @halvarflake noticed and got it fixed. Remote SYSTEM memory corruption ? https://t.co/gsx9ZMk1Hz
— Tavis Ormandy (@taviso) 4. April 2018
Google security researcher Tavis Ormandy has pointed out this fact in the above tweet.