Jump to content
hey_yo_

'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

Recommended Posts

Posted (edited) · Original PosterOP

Sources: The Register & Microsoft TechNet

 

When I thought that Windows Defender is getting better according to third party tests [here and here] and decided to switch back, it can actually be used to exploit your PC.

 

Antimalware Software

Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290

Microsoft Forefront Endpoint Protection 2010

Critical  
Remote Code Execution

Microsoft Endpoint Protection

Critical  
Remote Code Execution

Microsoft Forefront Security for SharePoint Service Pack 3

Critical  
Remote Code Execution

Microsoft System Center Endpoint Protection

Critical  
Remote Code Execution

Microsoft Security Essentials

Critical  
Remote Code Execution

Windows Defender for Windows 7

Critical  
Remote Code Execution

Windows Defender for Windows 8.1

Critical  
Remote Code Execution

Windows Defender for Windows RT 8.1

Critical  
Remote Code Execution

Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703

Critical  
Remote Code Execution

Windows Intune Endpoint Protection

Critical  
Remote Code Execution

Quote

Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines.

A particularly nasty security flaw exists in Redmond's anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. All are, at this moment, at risk. It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012.

It is possible for hackers to craft files that are booby-trapped with malicious code, and this nasty payload is executed inadvertently and automatically by the scanner while inspecting the data. The injected code runs with administrative privileges, allowing it to gain full control of the system, install spyware, steal files, and so on.

In other words, while Microsoft's scanner is searching a downloaded file for malware, it can be tricked into running and installing the very sort of software nasty it's supposed to catch and kill.

Thankfully the bug was immediately patched today.

Quote

On Monday night, in an emergency update, Microsoft fixed the vulnerability in its security packages. This upgrade will be automatically fetched and installed by the scanner engine on your machines, quietly closing the embarrassing security hole over the next two days.

"The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file," explained Redmond's security team.

"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

"Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration."

So someone from Google Project Zero tweeted about the vulnerability and caused a little bit of twitter hysteria.

Full details of the vulnerability on the Chromium website here. As it turns out, the vulnerability was reported to Microsoft days ago. I guess Google actually did the penetration testing in favor of Microsoft. Meanwhile, keep your OS up to date. But it's kinda ironic that a security product can be used for executing malware. From my understanding, AV heuristics involves executing the suspected malicious file in a sandbox and if the AV detects unusual behavior, it will encrypt the malicious file so that it can no longer infect the PC. I guess Microsoft is not that good at it. While Windows Defender has improved in detection and protection (see here and here), I guess PC users are better off with third party AVs especially if you're in a risky environment like a college or university where people are constantly plugging in their USB flash drives.

Edited by hey_yo_
removed formatting
Link to post
Share on other sites
Posted (edited) · Original PosterOP

From Microsoft;

Issue References

For more information about this issue, see the following references:

References

Identification

Last version of the Microsoft Malware Protection Engine affected by this vulnerability

Version 1.1.13701.0

First version of the Microsoft Malware Protection Engine with this vulnerability addressed

Version 1.1.13704.0

*If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Edited by GoodBytes
Forming fix
Link to post
Share on other sites
Posted · Original PosterOP
Link to post
Share on other sites
Posted · Original PosterOP
42 minutes ago, SSL said:

Security software running with admin privileges, what could go wrong.

I think the issue is about a maliciously crafted file that can trick Windows Defender's defenses. Which means Windows Defender is not very good in blocking zero-day malware unlike its competitors. 

Link to post
Share on other sites

please use the "remove format" button when copy pasting quotes

Spoiler

59117b9f1693c_iseenothing.PNG.2ae70aacde8d08224a2be497f04a0506.PNG

 


One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 years later: Still patiently waitng

Phones: iPhone 4S | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

Link to post
Share on other sites
Posted · Original PosterOP
4 minutes ago, suicidalfranco said:

please use the "remove format" button when copy pasting quotes

  Reveal hidden contents

59117b9f1693c_iseenothing.PNG.2ae70aacde8d08224a2be497f04a0506.PNG

 

fixed it 

Link to post
Share on other sites
16 minutes ago, LAwLz said:

Doesn't it have to run with admin privileges? It wouldn't be able to scan a lot of files otherwise.

I would see that as a fundamental flaw. Why would you need anything other than read access to scan a file?


I deal in shitposts and shitpost accessories.

Link to post
Share on other sites
12 minutes ago, hey_yo_ said:

I think the issue is about a maliciously crafted file that can trick Windows Defender's defenses. Which means Windows Defender is not very good in blocking zero-day malware unlike its competitors. 

The potential for that to happen is there for any scanning engine, I wouldn't say it's any more susceptible to zero-day attacks than any other AV tool. The only ones that would truly protect you from an attack like this is if all scanning of files is done in a sandboxed environment that when the scan finishes it's destroyed, some already do this.

Link to post
Share on other sites
6 hours ago, Urishima said:

I would see that as a fundamental flaw. Why would you need anything other than read access to scan a file?

Alter file permissions 'Deny Everyone' or 'Deny Administrators' or remove default permissions and only allow specific account any access to a file or folder at all.

 

There is actually a special privilege in Windows that you can trigger called 'SeBackupPrivilege', once you elevate yourself to this privilege you cannot be denied access to any file on the computer at all no matter what. The original intent of this is rather obvious by it's name, backup software is utterly useless if you can't 100% guarantee that you can backup every file on the system.

Link to post
Share on other sites
Posted · Original PosterOP
15 minutes ago, Urishima said:

I would see that as a fundamental flaw. Why would you need anything other than read access to scan a file?

If an app has admin privileges, it can both read and write files and from what I understand, it's closer to the kernel which is the heart of the operating system. Some AVs need that to protect the kernel from rootkits. I don't think privileges is the issue but rather a bug in scanning. 

 

It's kinda like HIV attacking the immune system if you look at it. HIV tricks the immune cells to welcome the virus and an infection ensues. With Windows Defender, a probable bug in their scanning mechanism is being exploited by malware designed to use Windows Defender as a conduit in infecting a PC.

12 minutes ago, leadeater said:

The potential for that to happen is there for any scanning engine, I wouldn't say it's any more susceptible to zero-day attacks than any other AV tool. The only ones that would truly protect you from an attack like this is if all scanning of files is done in a sandboxed environment that when the scan finishes it's destroyed, some already do this.

I think some third party AVs like Bitdefender and Kaspersky Lab implement sandboxing while scanning as a part of their heuristics. If the AV suspects a file that isn't included in their signatures, it will execute it in a sandbox and if it tries to do anything malicious, it will encrypt the file so that it can no longer infect and it's uploaded to their servers for analysis.

 

The bottom line of course is that security is only as good as the person sitting in front of the computer.

Link to post
Share on other sites
4 minutes ago, hey_yo_ said:

I think some third party AVs like Bitdefender and Kaspersky Lab implement sandboxing while scanning as a part of their heuristics. If the AV suspects a file is that isn't in their signatures, it will execute it in a sandbox and if it tries to do anything malicious, it will encrypt the file so that it can no longer infect and it's uploaded to their servers for analysis.

Yea, sandboxing should be way more common than it is by now. Sure it requires more system resources but most computers now days are not short on that.

Link to post
Share on other sites

Well if you're using Microsoft's wannabe antivirus programs, then you deserve to get infected, so you can learn to use a third party antivirus software which actually does its job.

Link to post
Share on other sites
Posted · Original PosterOP
2 hours ago, Darth Revan said:

Well if you're using Microsoft's wannabe antivirus programs, then you deserve to get infected, so you can learn to use a third party antivirus software which actually does its job.

To be fair, Windows Defender outperformed a some paid third party anti-virus apps. Check it here & here. Though it may not be as good as others in detecting zero day malware because of their crappy heuristics.

Link to post
Share on other sites

cant be exploited if you dont even have the right version of windows

blackman.jpg


bregsit

 

Spoiler

 

PC specs: i5 4460, ASUS Strix RX 470 4GB, 16GB DDR3 1600MHz (2x8GB, cheap Crucial RAM), WD Blue 1TB, Seagate Barracuda 1TB(boot), Windows 7 Professional

Internet: BT Openreach ADSL 11mbps down/1mbps up through a BT Homehub 4

 

 

Link to post
Share on other sites
58 minutes ago, Bouzoo said:

Do you literally have something against black theme users? 

No more like utter indifference since I don't use it or want to use it so I cannot tell if there is an issue :P, should be fixed now though.

Link to post
Share on other sites
1 hour ago, imPixelTV said:

cant be exploited if you dont even have the right version of windows

MEME

A antivirus exploit can't be used if you don't have a antivirus.

 

blackman.jpg


if you want to annoy me, then join my teamspeak server ts.benja.cc

Link to post
Share on other sites
Just now, The Benjamins said:

A anti virus exploit can't be used if you don't have a anti virus.

 

blackman.jpg

i suppose you're right


bregsit

 

Spoiler

 

PC specs: i5 4460, ASUS Strix RX 470 4GB, 16GB DDR3 1600MHz (2x8GB, cheap Crucial RAM), WD Blue 1TB, Seagate Barracuda 1TB(boot), Windows 7 Professional

Internet: BT Openreach ADSL 11mbps down/1mbps up through a BT Homehub 4

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.


×