{"id":4442,"date":"2017-12-07T07:54:00","date_gmt":"2017-12-07T06:54:00","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=4442"},"modified":"2017-12-08T19:46:21","modified_gmt":"2017-12-08T18:46:21","slug":"critical-vulnerability-in-microsofts-malware-protection-engine-cve-2017-11937","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/12\/07\/critical-vulnerability-in-microsofts-malware-protection-engine-cve-2017-11937\/","title":{"rendered":"Critical vulnerabilities in Microsoft’s Malware Protection Engine (CVE-2017-11937 and CVE-2017-11940)"},"content":{"rendered":"

\"Windows[German<\/a>]Microsoft's Malware Protection Engine has a critical memory corruption vulnerability that allows remote code execution. Microsoft released a security advisory on December 6, 2017 and says corresponding security updates are available. Here are what I found out till now. [Update:<\/strong> There was a 2nd critical vulnerability\u00a0CVE-2017-11940\u00a0in\u00a0Microsoft's Malware Protection Engine.]<\/p>\n

<\/p>\n

Critical vulnerability (CVE-2017-11937)<\/h2>\n

\"\"Thomas Gavin from MSRC Vulnerabilities and Mitigations Team has reported the vulnerability CVE-2017-11937<\/a> in Microsoft Malware Protection Engine.<\/p>\n

<\/a><\/p>\n

A remote user can create a specially crafted file that, when scanned by the target Microsoft Malware Protection Engine, will trigger a memory corruption error and execute arbitrary code on the target system. The code will run with LocalSystem privileges.<\/p>\n

 <\/p>\n

Affected are Microsoft Endpoint Protection, Microsoft Exchange Server, Microsoft Forefront Endpoint Protection, Microsoft Security Essentials and Windows Defender (or in other words all Windows versions that includes Defender).<\/p>\n

Microsoft promises an update<\/h2>\n

Microsoft has send me an e-mail promising a fix for CVE-2017-11937 and announcing an update for.<\/p>\n

Critical\u00a0\u00a0\u00a0 Windows 7 for 32-bit Systems Service Pack 1
\nCritical\u00a0\u00a0\u00a0 Windows 7 for x64-based Systems Service Pack 1
\nCritical\u00a0\u00a0\u00a0 Windows 8.1 for 32-bit systems
\nCritical\u00a0\u00a0\u00a0 Windows 8.1 for x64-based systems
\nCritical\u00a0\u00a0\u00a0 Windows RT 8.1
\nCritical\u00a0\u00a0\u00a0 Windows 10 for 32-bit Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 for x64-based Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1511 for 32-bit Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1511 for x64-based Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1607 for 32-bit Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1607 for x64-based Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1703 for 32-bit Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1703 for x64-based Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1709 for 32-bit Systems
\nCritical\u00a0\u00a0\u00a0 Windows 10 Version 1709 for x64-based Systems
\nCritical\u00a0\u00a0\u00a0 Windows Server 2016
\nCritical\u00a0\u00a0\u00a0 Windows Server 2016 (Server Core installation)
\nCritical\u00a0\u00a0\u00a0 Windows Server, version 1709 (Server Core Installation)
\nCritical\u00a0\u00a0\u00a0 Microsoft Endpoint Protection
\nCritical\u00a0\u00a0\u00a0 Microsoft Exchange Server 2013
\nCritical\u00a0\u00a0\u00a0 Microsoft Exchange Server 2016
\nCritical\u00a0\u00a0\u00a0 Microsoft Forefront Endpoint Protection
\nCritical\u00a0\u00a0\u00a0 Microsoft Forefront Endpoint Protection 2010
\nCritical\u00a0\u00a0\u00a0 Microsoft Security Essentials<\/p>\n

The details may be found in Security Tech Center<\/a>. Note: It's important to search for CVE-2017-11937.<\/p>\n

\"Security<\/p>\n

I've updated the article. In the first version I wrote, that I haven't found updates, linked within Microsoft Update Catalog. But I catched the wrong packages, the updates has been deleted. Updates for the Microsoft Malware Protection Engine are delivered with signature updates.<\/p><\/blockquote>\n

With Microsoft Security Essentials I have currently the anti-malware client version: 4.10.209.0, Module version 1.114405.2, Defender reports 4.12.16299.15 (Windows 10 V1709).<\/p>\n

\"MSE-Daten<\/p>\n

In Windows Update nothing is found under Windows 7 and Windows 10 (except for a definition update KB2267602). So I have no idea, whether my machine has been updated or not.<\/p>\n

I've created this thread<\/a> at Askwoody.com \u2013 perhaps we will find out more details using the crowd.<\/p><\/blockquote>\n

Update: There is a new module version<\/h2>\n

I have now booted a Windows 7 machine that hasn't been online for 3 days. There I see the module version: 1.1.14306.0 and the Antimalware client version: 4.10.209.0. So it seems, that Microsoft Security Essentials and Windows Defender has updated itself with a new version of Malware Protection Engine. Addendum: The 2nd machine has been also updated to module version: 1.1.14405.2.<\/p>\n

My fault – guess I've been lured on the ice by the links in the Security Center, because Defender and MSE are updating without using Windows Update.<\/p>\n

Update: A 2nd vulnerability CVE-2017-11940<\/h2>\n

I was abroad, so I didn't noticed a 2nd security advisory Microsoft has send me this night. There has been a 2nd\u00a0vulnerability CVE-2017-11940 detected in\u00a0Microsoft's Malware Protection Engine, which allows a Remote Code Execution. Here are the notification text from Microsoft:<\/p>\n

Critical Security Updates
\n============================<\/p>\n

CVE-2017-11940<\/p>\n

Critical Windows 7 for 32-bit Systems Service Pack 1
\nCritical Windows 7 for x64-based Systems Service Pack 1
\nCritical Windows 8.1 for 32-bit systems
\nCritical Windows 8.1 for x64-based systems
\nCritical Windows RT 8.1
\nCritical Windows 10 for 32-bit Systems
\nCritical Windows 10 for x64-based Systems
\nCritical Windows 10 Version 1511 for 32-bit Systems
\nCritical Windows 10 Version 1511 for x64-based Systems
\nCritical Windows 10 Version 1607 for 32-bit Systems
\nCritical Windows 10 Version 1607 for x64-based Systems
\nCritical Windows 10 Version 1703 for 32-bit Systems
\nCritical Windows 10 Version 1703 for x64-based Systems
\nCritical Windows 10 Version 1709 for 32-bit Systems
\nCritical Windows 10 Version 1709 for x64-based Systems
\nCritical Windows Server 2016
\nCritical Windows Server 2016 (Server Core installation)
\nCritical Windows Server, version 1709 (Server Core Installation)
\nCritical Microsoft Endpoint Protection
\nCritical Microsoft Exchange Server 2013
\nCritical Microsoft Exchange Server 2016
\nCritical Microsoft Forefront Endpoint Protection
\nCritical Microsoft Forefront Endpoint Protection 2010
\nCritical Microsoft Security Essentials<\/p>\n

Microsoft has documented CVE-2017-11940 here<\/a>. It's sufficient, to let the scanner read a prepared document, to trigger the vulnerability. I assume, that this vulnerability has been fixed also with the latest scan engine update.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Microsoft's Malware Protection Engine has a critical memory corruption vulnerability that allows remote code execution. Microsoft released a security advisory on December 6, 2017 and says corresponding security updates are available. Here are what I found out till now. [Update: … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[773,528,86,194],"class_list":["post-4442","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-defender","tag-microsoft-security-essentials","tag-vulnerability","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4442"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4442\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}