The point of antivirus is to keep malware off the system. A particularly nasty software flaw in Microsoft’s antivirus engine could do the exact opposite and let attackers install malware on vulnerable systems.
The critical security vulnerability in the Microsoft Malware Protection Engine affects a number of Microsoft products, including Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. These tools are enabled by default in Windows 8, 8.1, 10, and Windows Server 2012.
Microsoft released an emergency out-of-band security update to fix the remotely exploitable type confusion bug (CVE-2017-0290) on Monday, along with a security advisory.
“Vulnerabilities in MsMpEng [Microsoft Malware Protection Engine] are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, a security researcher with Google’s Project Zero, who found the flaw along with fellow researcher Natalie Silvanovich, who called it “crazy bad.”
Attackers hide the malicious payload in files, and when the antivirus scanner checks the file to determine whether it is malicious, the scan inadvertently executes the malicious code on the system with administrative privileges. The malware gets full control of the system and can perform any number of tasks, such as installing spyware and other tools or stealing data.
“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release,” Microsoft’s security team wrote in the advisory. "The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”
Ormandy initially teased the existence of the bug on Twitter toward Friday's end, but didn’t provide any details because Project Zero was discussing the flaw with Microsoft’s security team. The engine runs on the system level without sandboxing and is remotely accessible without authentication via different Windows services.
The component within the engine that evaluates the filesystem or network activity that looks like JavaScript is “an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems,” Ormandy wrote. The function JsDelegateObject_Error::toString() reads the object’s message property, but doesn’t validate the input to make sure it is a string.
The type confusion flaw allows any attacker to pass other arbitrary objects.
Despite the severity of the flaw, Microsoft said its exploitability was low—or “less likely" that someone would develop an exploit and take over vulnerability systems. Even so, no one wants a critical bug, described by Silvanovich as “the worst Windows remote code [execution] in recent memory, floating around in the system, hoping the patch arrives before criminals figure out the bug. The prospect of having to wait until next month to get the security update meant there was not much Windows administrators could do until them.
There were some mitigations: Ormandy recommended adding a blanket exception for c:\ to prevent automatic scanning of the filesystem activity. Turning off real-time protection doesn’t help, though, since the payload will be executed during the next scheduled scan.
“Still blown away at how quickly Microsoft Security responded to protect users,” Ormandy wrote on Twitter on Monday. “I can’t give enough kudos. Amazing.”