In Response, Microsoft Has Patched Its Malware Protection Engine
A Google security researcher has once again found a potentially devastating vulnerability in Microsoft’s Malware Protection Engine, the core component of anti-malware systems that ship with every Windows computer and server.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Microsoft patched the remote code execution flaw on Friday, but the finding once again highlights the danger of vulnerabilities in the very software that’s designed to protect computers from intrusion.
The flaw was found by Tavis Ormandy, a bug hunter with Google’s Project Zero who has a notable track record in finding software flaws in antivirus software.
I wrote a fuzzer for the unsandboxed x86 emulator in Windows Defender and found arbitrary read/write. https://t.co/t29mYNwiAL
— Tavis Ormandy (@taviso) June 23, 2017
Line of Defense
The Malware Protection Engine is the front-line guard for new files or executables that touch the operating system. It is incorporated into several Microsoft security applications, including Windows Defender, Security Essentials and Forefront Endpoint Protection.
Files are first run by an x86 emulator, which gives the engine a chance to see if it appears to do anything suspicious. For some reason, the x86 emulator doesn’t run in a sandbox – an area that is isolated from the rest of the operating system. Sandboxes make it more difficult for attackers, because not only is a successful exploit needed to attack an application, another one – or several flaws – would be needed to escape the sandbox.
“This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers,” Ormandy writes in an advisory. He wrote a fuzzer, which is the nickname for a tool for testing for software bugs. Ormandy immediately found a corruption flaw.
“I suspect this has never been fuzzed before,” he writes.
Because files or executables have to pass through the Malware Protection Engine gateway, software vulnerabilities potentially means that attackers can get a foothold into the operating system.
Specially Crafted File
To exploit the vulnerability, an attacker would have to get the victim’s computer to scan a specially crafted file with the Malware Protection Engine, Microsoft writes in an advisory.
“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user,” the company writes. “An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. An attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
Ironically, there’s also increased danger if users have real-time protection turned on, which is, in theory, a good defense to have in place. “If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned,” Microsoft writes.
Ormandy wrote proof-of-concept code, testcase.txt, that would crash the Malware Protection Engine. To prevent users from inadvertently crashing their computers, he encrypted it.
“Note that as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system,” Ormandy writes. “The testcases have been encrypted to prevent crashing your Exchange server.”
Yet Another Flaw
Just last month, Ormandy and a colleague, Natalie Silvanovich, found what he termed “the worst Windows remote code exec in recent memory” in the very same software (see Devastating Flaw Found in Microsoft’s AV Engine).
That component, called NScript, failed to stop attackers from passing on other objects. It wasn’t sandboxed, either. A victim would not even have to open a rigged email or attachment designed to exploit the vulnerability. Other attack avenues for that issue would be tricking the user into clicking a link in a web browser or one sent via instant messaging.
Vulnerabilities such as the one found by Ormandy could cause widespread trouble if discovered by hackers or nation-states due to Microsoft’s dominance in operating systems. Last month, upwards of 200,000 computers were infected with the WannaCry ransomware (see WannaCry Ransomware Outbreak Spreads Worldwide).
The computers were attacked used a leaked NSA exploit that targeted the Server Message Block protocol, which is used for file sharing. Microsoft issued a patch about a month before the exploit became public, but many organizations and users had not applied it.
Those who created WannaCry, which the U.S. and U.K. governments suspect is North Korea, turned it into a worm, which enables the ransomware to rapidly spread through networks (see British Security Services Tie North Korea to WannaCry).