The emergency fix comes a few days before Microsoft is scheduled to roll out its December Patch Tuesday updates.
The critical RCE flaw could be exploited by an attacker to take full control of a victim’s PC. The Malware Protection Engine (MPE) is the main component of the Windows defense system and it implements basic features like scanning, detection, and cleaning.
The Windows Malware Protection Engine is enabled by default and it is used by Microsoft antivirus and antimalware software implemented in its solutions, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.
The CVE-2017-11937 flaw is a memory corruption vulnerability that is triggered when the Malware Protection Engine scans a specially crafted file for a malicious code.
Triggering the flaw, the attacker can execute malicious code in the security context of the LocalSystem account and take full control of the target’s computer, this means that it could install further malicious code and create accounts with maximum privileges.
“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.”
To trigger the flaw, a remote attacker could place a specially crafted malicious file in a location that is scanned by the Malware Protection Engine and this is possible to do in many ways. An attacker, for example, could set up a website to deliver a specially crafted file that is scanned when the victim visits the site.
Another possible attack vector is represented by email, the attacker could deliver a specially crafted file via emails, it is also possible to exploit Instant Messenger services for the same purpose.
“There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine.” continues Microsoft.
“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
Microsoft has released an out-of-band critical update to address the vulnerability is urging users to install it as soon as possible.
For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically
The critical CVE-2017-11937 vulnerability was reported to Microsoft by the UK’s National Cyber Security Centre (NCSC), a division of the UK GCHQ intelligence agency.
Microsoft assured that the vulnerability was not exploited in attacks in the wild.
(Security Affairs – CVE-2017-11937 vulnerability, Windows)