Microsoft has patched the critical vulnerability in its Malware Protection Engine that was discovered on May 12 by the researchers at the Google’s Project Zero team.
The vulnerability could be exploited by an attacker that has crafted an executable that when processed by the Malware Protection Engine’s emulator could trigger the RCE flaw.
On May 9, Google’s Project Zero discovered another flaw, tracked as CVE-2017-0290, that was fixed with an emergency patch released just three days after its disclosure.
According to the Project Zero researcher Tavis Ormandy, unlike the CVE-2017-0290 vulnerability, this bug was a silent fix. Ormandy privately disclosed the vulnerability to Microsoft.
There is an undocumented opcode in the MsMpEng x86 emulator that can access internal emulator commands ¯_(ツ)_/¯ https://t.co/N0Z64Fofna
— Tavis Ormandy (@taviso) May 25, 2017
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.” reads the security advisory.
The attacker can exploit the vulnerability to execute a number of control commands.
The vulnerability is difficult to exploit, even if MsMpEng isn’t sandboxed, many applications are sandboxed, this implies that the attacker needs to evade the sandbox to trigger the issue.
According to Ormandy, the emulator component emulates the client’s CPU, but Microsoft has given it an extra instruction that allows API calls. The hackers highlighted he was surprised finding a special set of instructions for the emulator.
Microsoft did not publish any security advisory for this vulnerability.
(Security Affairs – Malware Protection Engine, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.