December 8, 2017 By Pierluigi Paganini
Microsoft issued an emergency Windows Security Update to address a critical vulnerability, tracked as CVE-2017-11937, that affects the Malware Protection Engine (MPE).
The emergency fix comes a few days before Microsoft is scheduled to roll out its December Patch Tuesday updates.
The critical RCE flaw could be exploited by an attacker to take full control of a victim’s PC. The Malware Protection Engine (MPE) is the main component of the Windows defense system and it implements basic features like scanning, detection, and cleaning.
The Windows Malware Protection Engine is enabled by default and it is used by Microsoft antivirus and antimalware software implemented in its solutions, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.
The CVE-2017-11937 flaw is a memory corruption vulnerability that is triggered when the Malware Protection Engine scans a specially crafted file for a malicious code.
Triggering the flaw, the attacker can execute malicious code in the security context of the LocalSystem account and take full control of the target’s computer, this means that it could install further malicious code and create accounts with maximum privileges.
“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.”
To trigger the flaw, a remote attacker could place a specially crafted malicious file in a location that is scanned by the Malware Protection Engine and this is possible to do in many ways. An attacker, for example, could set up a website to deliver a specially crafted file that is scanned when the victim visits the site.
Another possible attack vector is represented by email, the attacker could deliver a specially crafted file via emails, it is also possible to exploit Instant Messenger services for the same purpose.
Microsoft issued an emergency Windows Security Update to address a critical vulnerability, tracked as CVE-2017-11937, that affects the Malware Protection Engine (MPE).
The emergency fix comes a few days before Microsoft is scheduled to roll out its December Patch Tuesday updates.
The critical RCE flaw could be exploited by an attacker to take full control of a victim’s PC. The Malware Protection Engine (MPE) is the main component of the Windows defense system and it implements basic features like scanning, detection, and cleaning.
The Windows Malware Protection Engine is enabled by default and it is used by Microsoft antivirus and antimalware software implemented in its solutions, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.
The CVE-2017-11937 flaw is a memory corruption vulnerability that is triggered when the Malware Protection Engine scans a specially crafted file for a malicious code.
Triggering the flaw, the attacker can execute malicious code in the security context of the LocalSystem account and take full control of the target’s computer, this means that it could install further malicious code and create accounts with maximum privileges.
“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.”
To trigger the flaw, a remote attacker could place a specially crafted malicious file in a location that is scanned by the Malware Protection Engine and this is possible to do in many ways. An attacker, for example, could set up a website to deliver a specially crafted file that is scanned when the victim visits the site.
Another possible attack vector is represented by email, the attacker could deliver a specially crafted file via emails, it is also possible to exploit Instant Messenger services for the same purpose.
