security 'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

[captain_to_fire]

Sources: The Register & Microsoft TechNet

 

When I thought that Windows Defender is getting better according to third party tests [here and here] and decided to switch back, it can actually be used to exploit your PC.

 

Antimalware Software	Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290
Microsoft Forefront Endpoint Protection 2010	Critical   Remote Code Execution
Microsoft Endpoint Protection	Critical   Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3	Critical   Remote Code Execution
Microsoft System Center Endpoint Protection	Critical   Remote Code Execution
Microsoft Security Essentials	Critical   Remote Code Execution
Windows Defender for Windows 7	Critical   Remote Code Execution
Windows Defender for Windows 8.1	Critical   Remote Code Execution
Windows Defender for Windows RT 8.1	Critical   Remote Code Execution
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703	Critical   Remote Code Execution
Windows Intune Endpoint Protection	Critical   Remote Code Execution

Quote

Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines.

A particularly nasty security flaw exists in Redmond's anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. All are, at this moment, at risk. It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012.

It is possible for hackers to craft files that are booby-trapped with malicious code, and this nasty payload is executed inadvertently and automatically by the scanner while inspecting the data. The injected code runs with administrative privileges, allowing it to gain full control of the system, install spyware, steal files, and so on.

In other words, while Microsoft's scanner is searching a downloaded file for malware, it can be tricked into running and installing the very sort of software nasty it's supposed to catch and kill.

Thankfully the bug was immediately patched today.

Quote

On Monday night, in an emergency update, Microsoft fixed the vulnerability in its security packages. This upgrade will be automatically fetched and installed by the scanner engine on your machines, quietly closing the embarrassing security hole over the next two days.

"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file," explained Redmond's security team.

"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

"Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration."

So someone from Google Project Zero tweeted about the vulnerability and caused a little bit of twitter hysteria.

Full details of the vulnerability on the Chromium website here. As it turns out, the vulnerability was reported to Microsoft days ago. I guess Google actually did the penetration testing in favor of Microsoft. Meanwhile, keep your OS up to date. But it's kinda ironic that a security product can be used for executing malware. From my understanding, AV heuristics involves executing the suspected malicious file in a sandbox and if the AV detects unusual behavior, it will encrypt the malicious file so that it can no longer infect the PC. I guess Microsoft is not that good at it. While Windows Defender has improved in detection and protection (see here and here), I guess PC users are better off with third party AVs especially if you're in a risky environment like a college or university where people are constantly plugging in their USB flash drives.

Edited May 9, 2017 by hey_yo_
removed formatting

[captain_to_fire]

From Microsoft;

Advisory Details

 

 

Issue References

For more information about this issue, see the following references:

References	Identification
Last version of the Microsoft Malware Protection Engine affected by this vulnerability	Version 1.1.13701.0
First version of the Microsoft Malware Protection Engine with this vulnerability addressed	Version 1.1.13704.0

*If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Edited May 9, 2017 by GoodBytes
Forming fix

[SageOfSpice]

Does  that include EMET?

[AlwaysFSX]

You should probably fix your color formatting.

[captain_to_fire]

Just now, SageOfSpice said:

Does  that include EMET?

I don't know. It doesn't say anything in the Technet advisory. Also, it's nearing its end of life cycle https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit

[SSL]

Security software running with admin privileges, what could go wrong.

[LAwLz]

40 minutes ago, SSL said:

Security software running with admin privileges, what could go wrong.

Doesn't it have to run with admin privileges? It wouldn't be able to scan a lot of files otherwise.

[captain_to_fire]

42 minutes ago, SSL said:

Security software running with admin privileges, what could go wrong.

I think the issue is about a maliciously crafted file that can trick Windows Defender's defenses. Which means Windows Defender is not very good in blocking zero-day malware unlike its competitors. 

[suicidalfranco]

please use the "remove format" button when copy pasting quotes

Spoiler

 

[captain_to_fire]

4 minutes ago, suicidalfranco said:

please use the "remove format" button when copy pasting quotes

  Reveal hidden contents

 

fixed it 

[SCHISCHKA]

they should issue a refund to everyone who paid extra for their security suites

[Urishima]

16 minutes ago, LAwLz said:

Doesn't it have to run with admin privileges? It wouldn't be able to scan a lot of files otherwise.

I would see that as a fundamental flaw. Why would you need anything other than read access to scan a file?

[leadeater]

12 minutes ago, hey_yo_ said:

I think the issue is about a maliciously crafted file that can trick Windows Defender's defenses. Which means Windows Defender is not very good in blocking zero-day malware unlike its competitors. 

The potential for that to happen is there for any scanning engine, I wouldn't say it's any more susceptible to zero-day attacks than any other AV tool. The only ones that would truly protect you from an attack like this is if all scanning of files is done in a sandboxed environment that when the scan finishes it's destroyed, some already do this.

[leadeater]

6 hours ago, Urishima said:

I would see that as a fundamental flaw. Why would you need anything other than read access to scan a file?

Alter file permissions 'Deny Everyone' or 'Deny Administrators' or remove default permissions and only allow specific account any access to a file or folder at all.

 

There is actually a special privilege in Windows that you can trigger called 'SeBackupPrivilege', once you elevate yourself to this privilege you cannot be denied access to any file on the computer at all no matter what. The original intent of this is rather obvious by it's name, backup software is utterly useless if you can't 100% guarantee that you can backup every file on the system.

[captain_to_fire]

15 minutes ago, Urishima said:

I would see that as a fundamental flaw. Why would you need anything other than read access to scan a file?

If an app has admin privileges, it can both read and write files and from what I understand, it's closer to the kernel which is the heart of the operating system. Some AVs need that to protect the kernel from rootkits. I don't think privileges is the issue but rather a bug in scanning. 

 

It's kinda like HIV attacking the immune system if you look at it. HIV tricks the immune cells to welcome the virus and an infection ensues. With Windows Defender, a probable bug in their scanning mechanism is being exploited by malware designed to use Windows Defender as a conduit in infecting a PC.

12 minutes ago, leadeater said:

The potential for that to happen is there for any scanning engine, I wouldn't say it's any more susceptible to zero-day attacks than any other AV tool. The only ones that would truly protect you from an attack like this is if all scanning of files is done in a sandboxed environment that when the scan finishes it's destroyed, some already do this.

I think some third party AVs like Bitdefender and Kaspersky Lab implement sandboxing while scanning as a part of their heuristics. If the AV suspects a file that isn't included in their signatures, it will execute it in a sandbox and if it tries to do anything malicious, it will encrypt the file so that it can no longer infect and it's uploaded to their servers for analysis.

 

The bottom line of course is that security is only as good as the person sitting in front of the computer.

[leadeater]

4 minutes ago, hey_yo_ said:

I think some third party AVs like Bitdefender and Kaspersky Lab implement sandboxing while scanning as a part of their heuristics. If the AV suspects a file is that isn't in their signatures, it will execute it in a sandbox and if it tries to do anything malicious, it will encrypt the file so that it can no longer infect and it's uploaded to their servers for analysis.

Yea, sandboxing should be way more common than it is by now. Sure it requires more system resources but most computers now days are not short on that.

[mr moose]

how embarrassing.

[Doobeedoo]

Well good it was fixed rather quickly though.

[Guest Darth Revan]

Well if you're using Microsoft's wannabe antivirus programs, then you deserve to get infected, so you can learn to use a third party antivirus software which actually does its job.

[captain_to_fire]

2 hours ago, Darth Revan said:

Well if you're using Microsoft's wannabe antivirus programs, then you deserve to get infected, so you can learn to use a third party antivirus software which actually does its job.

To be fair, Windows Defender outperformed a some paid third party anti-virus apps. Check it here & here. Though it may not be as good as others in detecting zero day malware because of their crappy heuristics.

[Bouzoo]

5 hours ago, leadeater said:

guarantee 

Do you literally have something against black theme users? 

[imPixelTV]

cant be exploited if you dont even have the right version of windows

[leadeater]

58 minutes ago, Bouzoo said:

Do you literally have something against black theme users? 

No more like utter indifference since I don't use it or want to use it so I cannot tell if there is an issue , should be fixed now though.

[The Benjamins]

1 hour ago, imPixelTV said:

cant be exploited if you dont even have the right version of windows

MEME

A antivirus exploit can't be used if you don't have a antivirus.

 

[imPixelTV]

Just now, The Benjamins said:

A anti virus exploit can't be used if you don't have a anti virus.

 

i suppose you're right