• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Microsoft fixes Microsoft Malware Protection Engine RCE vulnerability CVE-2017-0290 found by Google

Microsoft fixes Microsoft Malware Protection Engine RCE vulnerability CVE-2017-0290 found by Google

Pierluigi Paganini May 09, 2017

Microsoft fixes the vulnerability in the Microsoft Malware Protection Engine (CVE-2017-0290) discovered just three days by Google experts.

Last week the researchers at the Google Project Zero team have discovered a new critical Windows RCE vulnerability, tracked as CVE-2017-0290, they defined the bug as the worst Windows RCE in recent memory.

I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥

— Tavis Ormandy (@taviso) May 6, 2017

The researchers only revealed the following information on the Windows RCE vulnerability:

  • The PoC exploit the Project Zero team has developed works against default Windows installations.
  • The Windows RCE vulnerability could be exploited by a remote attacker.
  • The attack is “wormable,” capability to spread itself.

It took Microsoft less than three days to fix the critical RCE flaw that affects the Microsoft Malware Protection Engine.

Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.

— Tavis Ormandy (@taviso) May 9, 2017

“Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.” reads the advisory published by Microsoft.

“The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

The Microsoft Malware Protection Engine ships with several Microsoft antimalware products.”

CVE-2017-0290 Windows RCE vulnerability

The Flaw affects the “MsMpEng” service, which runs unsandboxed with SYSTEM privileges and is accessible without authentication via Windows services such as Exchange and IIS.

The list of affected software includes Forefront Endpoint Protection, Endpoint Protection, Forefront Security for SharePoint Service Pack 3, System Center Endpoint Protection, Security Essentials, Windows Defender, and Windows Intune Endpoint Protection.

Google Project Zero has published the technical details and the proof-of-concept (PoC) exploit code for the CVE-2017-0290 flaw.

“MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.” reads the advisory published by the Google Project Zero Team.”

The Google Project Zero researchers said the vulnerability can be exploited via email – opening the malicious email is not necessary for exploitation – or by getting the targeted user to access a specially crafted link.

“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.” added Google.

“This level of accessibility is possible because MsMpEng uses a file system minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine,” the experts said in their advisory.

The experts highlighted that on workstations, attackers can access mpengine just by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on.

According to Microsoft, the security fix should be sent out automatically to antimalware products that use the Microsoft Malware Protection Engine within 48 hours.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Windows RCE vulnerability, Microsoft Malware Protection Engine)

[adrotate banner=”13″]


facebook linkedin twitter

CVE-2017-0290 Hacking Microsoft Malware Protection Engine RCE Remote Code Execution

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT