Last Friday, Tavis Ormandy and Natalie Silvanovich reported that they had discovered “the worst Windows remote code exec in recent memory”.
The vulnerability was reported to Microsoft who released an advisory: https://technet.microsoft.com/library/security/4022344.aspx
The good thing, no action is requred by the Enterprise administrators if default configuration to automatic upate definitions and the Malware Protection Engine are kept up to date.
Otherwise, patch now!
From the advisory:
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.
| CVE ID | Vulnerability Title | Exploitability Assessment for Latest Software Release |
Exploitability Assessment for Older Software Release |
Denial of Service Exploitability Assessment |
| CVE-2017-0290 | Scripting Engine Memory Corruption Vulnerability | 2 – Exploitation Less Likely | 2 – Exploitation Less Likely | Not applicable |
To exploit this vulnerability a special crafted file has to be scanned by the system. The file can be delivered in numerous ways – Via WEB, attachment etc.
The real-time scan will automatically scan the files and this funtionality is nothing you should disable.
The real-time scan runs on file shares so this vulernability doesn not only apply on clients
Affected products
| Antimalware Software | Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290 |
| Microsoft Forefront Endpoint Protection 2010 | Critical Remote Code Execution |
| Microsoft Endpoint Protection | Critical Remote Code Execution |
| Microsoft Forefront Security for SharePoint Service Pack 3 | Critical Remote Code Execution |
| Microsoft System Center Endpoint Protection | Critical Remote Code Execution |
| Microsoft Security Essentials | Critical Remote Code Execution |
| Windows Defender for Windows 7 | Critical Remote Code Execution |
| Windows Defender for Windows 8.1 | Critical Remote Code Execution |
| Windows Defender for Windows RT 8.1 | Critical Remote Code Execution |
| Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703 | Critical Remote Code Execution |
| Windows Intune Endpoint Protection | Critical Remote Code Execution |
Actions:
- Verify that the update is installed
- If necessary, install the update
For further information:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5