Another Gaping Hole in Windows Defender Killed By Microsoft

27Jun - by Pax_tan - 0 - In News

On Friday, Microsoft rolled out an out-of-band security update that patched a major security flaw in the Microsoft Malware Protection Engine (MsMpEng), a core security service part of the Microsoft ecosystem.

Amazon Self-Driving Vehicles for More Efficient, Cheaper Delivery Amazon has set up a skunkworks project to explore using self-driving vehicles to deliver packages. Amazon wouldn’t necessarily develop the vehicles themselves. Instead, it wants to see how driverless vehicles would improve package delivery and make Amazon more efficient.The...

The bug, tracked as CVE-2017-8558, affects the x86 emulator included with the Malware Protection Engine and was discovered by Google Project Zero researcher Tavis Ormandy.

According to a technical write-up by Ormandy, the vulnerability allows an attacker to execute code on a user's computer, gain LocalSystem privileges, and take over the victim's PC.

Exploitation is ridiculously simple

Exploiting this flaw is ridiculously simple as it requires an attacker to send a malformed file to the victim via various methods: email, chat message, file download, or trick the victim into accessing a malicious website hosting a weaponized JS file.

There's no user interaction needed, as the MsMpEng will immediately scan new content arriving on the user's PC, and the attacker will gain immediate control over the target's system.

This is a big issue because the Malware Protection Engine has been shipped as a built-in service in all Windows OS versions since Windows 7, and is a core component of a series of Microsoft security products such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection. The bug would allow an attacker to crash and bypass these security products.

Atari to Make its First Console in Decades, but What the Heck Is It? Atari has announced its intention to re-enter the console market, 23 years after its last platform, the Atari Jaguar, launched. The company has said very little about its plans for the hardware, and hasn’t even confirmed if its working on a retro game platform or if it actual...

In an advisory, Microsoft said all above-listed products are affected by this issue. The OS maker patched this vulnerability via a silent update to the Malware Protection Engine in version 1.1.13903.0.

The Microsoft Malware Protection Engine silently updates itself, so no user interaction is needed unless the user has specifically blocked updates via update management software.

PoC demo was so dangerous it needed to be encrypted

Ormandy also put together a proof-of-concept file to demo the flaw for Microsoft employees. Showing just how dangerous and easy to exploit this bug was, Ormandy had to encrypt the PoC demo when sending it to Microsoft because he risked crashing Microsoft's email servers the moment the PoC reached their systems.

This is the second time when Ormandy had to encrypt PoC demos. In early May, Ormandy discovered a similar bug, which he described as "crazy bad" and "the worst Windows remote code exec in recent memory."

Three weeks later, one of his colleagues also discovered a series of issues affecting the same MsMpEng component.

Bug would have been worth millions of dollars

All these bugs are dangerous because they allow attackers to crash or bypass security services and take over user's systems. An issue like, if sold on hacking forums, would have pocketed authors millions of dollars, allowing a secret door into any Windows computer on Earth.

New MacOS Malware Found Spying On HTTPS Traffic Today, Malware Research team at CheckPoint have discovered a new piece of fully-undetectable Mac malware, which according to them, affects all versions of Mac OS X, has zero detections on VirusTotal and is "signed with a valid developer certificate (authenticated by Apple)."Dubbe...

Ormandy says he discovered this bug using a technique called fuzzing, which takes random data and feeds it into a program's input to test how the software reacts and exposing bugs.

Over the winter, Ormandy built a tool that ports Windows Defender DLLs to Linux in order to use Linux-based fuzzing tools to test for Windows Defender bugs. He said he specifically put this tool together for testing Windows Defender. Apparently, it worked, exposing issues Microsoft's own fuzzing didn't catch.

Leave a Reply

Your email address will not be published. Required fields are marked *