Tag Archive: Antimalware

CVE-2017-0290 – RCE in The Microsoft Malware Protection Engine

Last Friday, Tavis Ormandy and Natalie Silvanovich reported that they had discovered “the worst Windows remote code exec in recent memory”.

The vulnerability was reported to Microsoft who released an advisory: https://technet.microsoft.com/library/security/4022344.aspx

The good thing, no action is requred by the Enterprise administrators if default configuration to automatic upate definitions and the Malware Protection Engine are kept up to date.

Otherwise, patch now!

From the advisory:

Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

CVE ID Vulnerability Title Exploitability Assessment for
Latest Software Release
Exploitability Assessment for
Older Software Release
Denial of Service
Exploitability Assessment
CVE-2017-0290 Scripting Engine Memory Corruption Vulnerability 2 – Exploitation Less Likely 2 – Exploitation Less Likely Not applicable

 

To exploit this vulnerability a special crafted file has to be scanned by the system. The file can be delivered in numerous ways – Via WEB, attachment etc.

The real-time scan will automatically scan the files and this funtionality is nothing you should disable.
The real-time scan runs on file shares so this vulernability doesn not only apply on clients

Affected products

Antimalware Software Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290
Microsoft Forefront Endpoint Protection 2010 Critical
Remote Code Execution
Microsoft Endpoint Protection Critical
Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3 Critical
Remote Code Execution
Microsoft System Center Endpoint Protection Critical
Remote Code Execution
Microsoft Security Essentials Critical
Remote Code Execution
Windows Defender for Windows 7 Critical
Remote Code Execution
Windows Defender for Windows 8.1 Critical
Remote Code Execution
Windows Defender for Windows RT 8.1 Critical
Remote Code Execution
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703 Critical
Remote Code Execution
Windows Intune Endpoint Protection Critical
Remote Code Execution

 

Actions:

  • Verify that the update is installed
  • If necessary, install the update

For further information:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5