Microsoft this week released an update for the Microsoft Malware Protection Engine (MPE) to address a critical severity remote code execution (RCE) vulnerability in it.
The flaw could lead to memory corruption and allow an attacker to execute arbitrary code to take control over a vulnerable machine. Discovered by UK’s National Cyber Security Centre (NCSC), the bug is tracked as CVE-2017-11937.
Because code can be executed in the security context of the LocalSystem account, the attacker could take control of the system and install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation is possible if a specially crafted file is scanned by an affected version of the Microsoft Malware Protection Engine (the last vulnerable version is 1.1.14306.0).
There are multiple ways an actor could launch an attack leveraging the bug, Microsoft says. An attacker could lure the victim to a website containing the specially crafted file, or they could send the malicious file via email or instant messaging. They could also load the file to a site that accepts or hosts user-provided content, in a shared location.
“If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited,” Microsoft explained.
The software giant also notes that all systems running an affected version of antimalware software are primarily at risk.
The company has issued an update to correct the manner in which the Microsoft Malware Protection Engine scans specially crafted files.
The update will be delivered automatically to the affected systems and no action is required of enterprise administrators or end users. The update should reach all impacted software within 48 hours of release.
Impacted applications include Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server version 1709, Microsoft Exchange Server 2013 and 2016, Microsoft Security Essentials, and Windows Intune Endpoint Protection.
Microsoft Malware Protection Engine version 1.1.14405.2 resolves the vulnerability.