Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw

Pierluigi Paganini April 04, 2018

On April 3, Microsoft Out-Of-Band Security Update to address the CVE-2018-0986 vulnerability affecting the Microsoft Malware Protection Engine (MMPE).

Microsoft Malware Protection Engine is the core component for malware detection and cleaning of several Microsoft anti-malware software. It is currently implemented in Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.

The CVE-2018-0986 flaw could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

The CVE-2018-0986 vulnerability rated as ‘critical’ was discovered by Thomas Dullien, white hat hacker at the Google Project Zero.

“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.“reads  the security advisory published by Microsoft.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” 

According to the experts, it is quite easy to exploit the flaw, an attacker can deploy the malicious code inside JavaScript files hosted on the website then it needs to trick the victim into visiting it. Another attack scenario sees the hackers send the malicious code as attachment of an email sent to the victim, or via an instant messaging client.

The attack doesn’t need user interaction because the Microsoft Malware Protection Engine automatically scans all incoming files.

Experts pointed out that Windows Defender is enabled by default on Windows 10.

Microsoft has addressed the flaw in MMPE version 1.1.14700.5, the security patch is going to be delivered without needing user interaction.

CVE-2018-0986

“For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.14700.5 or later.

If necessary, install the update Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.” states Microsoft.

“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-0986 vulnerability, Microsoft Malware Protection Engine)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment