Microsoft has patched the critical vulnerability in its Malware Protection Engine that was discovered on May 12 by the researchers at the Google’s Project Zero team.
The vulnerability could be exploited by an attacker that has crafted an executable that when processed by the Malware Protection Engine’s emulator could trigger the RCE flaw.
On May 9, Google’s Project Zero discovered another flaw, tracked as CVE-2017-0290, that was fixed with an emergency patch released just three days after its disclosure.
According to the Project Zero researcher Tavis Ormandy, unlike the CVE-2017-0290 vulnerability, this bug was a silent fix. Ormandy privately disclosed the vulnerability to Microsoft.
There is an undocumented opcode in the MsMpEng x86 emulator that can access internal emulator commands ¯_(ツ)_/¯ https://t.co/N0Z64Fofna
— Tavis Ormandy (@taviso) May 25, 2017
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.” reads the security advisory.
The attacker can exploit the vulnerability to execute a number of control commands.
The vulnerability is difficult to exploit, even if MsMpEng isn’t sandboxed, many applications are sandboxed, this implies that the attacker needs to evade the sandbox to trigger the issue.
According to Ormandy, the emulator component emulates the client’s CPU, but Microsoft has given it an extra instruction that allows API calls. The hackers highlighted he was surprised finding a special set of instructions for the emulator.
Microsoft did not publish any security advisory for this vulnerability.
(Security Affairs – Malware Protection Engine, hacking)