CVE-2017-11937 | Microsoft releases an emergency update to fix a flaw in Malware Protection Engine

Microsoft issued an emergency Windows Security Update to address a critical flaw, tracked as CVE-2017-11937, that affects the Malware Protection Engine.

Microsoft issued an emergency Windows Security Update to address a critical vulnerability, tracked as CVE-2017-11937, that affects the Malware Protection Engine (MPE).

The emergency fix comes a few days before Microsoft is scheduled to roll out its December Patch Tuesday updates.

The critical RCE flaw could be exploited by an attacker to take full control of a victim’s PC. The Malware Protection Engine (MPE) is the main component of the Windows defense system and it implements basic features like scanning, detection, and cleaning.

The Windows Malware Protection Engine is enabled by default and it is used by Microsoft antivirus and antimalware software implemented in its solutions, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.

The CVE-2017-11937 flaw is a memory corruption vulnerability that is triggered when the Malware Protection Engine scans a specially crafted file for a malicious code.

Triggering the flaw, the attacker can execute malicious code in the security context of the LocalSystem account and take full control of the target’s computer, this means that it could install further malicious code and create accounts with maximum privileges.

“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.”

To trigger the flaw, a remote attacker could place a specially crafted malicious file in a location that is scanned by the Malware Protection Engine and this is possible to do in many ways. An attacker, for example, could set up a website to deliver a specially crafted file that is scanned when the victim visits the site.

Another possible attack vector is represented by email, the attacker could deliver a specially crafted file via emails, it is also possible to exploit Instant Messenger services for the same purpose.

“There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine.” continues Microsoft.

“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”

Microsoft has released an out-of-band critical update to address the vulnerability is urging users to install it as soon as possible.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically

The critical CVE-2017-11937 vulnerability was reported to Microsoft by the UK’s National Cyber Security Centre (NCSC), a division of the UK GCHQ intelligence agency.

Microsoft assured that the vulnerability was not exploited in attacks in the wild.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2017-11937 vulnerability, Windows)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.