- Oct 23, 2012
- 12,527
Microsoft quietly patched a critical vulnerability Wednesday in its Malware Protection Engine. The vulnerability was found May 12 by Google’s Project Zero team, which said an attacker could have crafted an executable that when processed by the Malware Protection Engine’s emulator could enable remote code execution.
Unlike a May 9 emergency patch for what Google researchers called the worst Windows vulnerability in recent memory, this week’s bug was a silent fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft. The previous zero day (CVE-2017-0290) was also in the Microsoft Malware Protection Engine, running in most of Microsoft’s antimalware offerings bundled with Windows.
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”
That exposed the MsMpEng engine to a number of different problems such as giving attackers the ability to carry out various input/output control commands.
Unlike a May 9 emergency patch for what Google researchers called the worst Windows vulnerability in recent memory, this week’s bug was a silent fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft. The previous zero day (CVE-2017-0290) was also in the Microsoft Malware Protection Engine, running in most of Microsoft’s antimalware offerings bundled with Windows.
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”
That exposed the MsMpEng engine to a number of different problems such as giving attackers the ability to carry out various input/output control commands.
“Command 0x0C allows allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s)… Command 0x12 allows you to load additional “microcode” that can replace opcodes… Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata. This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result,” Ormandy wrote.
Both Microsoft and Google did not return requests for comment.
“This was potentially an extremely bad vulnerability, but probably not as easy to exploit as Microsoft’s earlier zero day, patched just two weeks ago,” said Udi Yavo, co-founder and CTO of enSilo, in an interview with Threatpost.
The fact the MsMpEng isn’t sandboxed is also notable, said Yavo. He said most Windows applications such as Microsoft Edge browser are sandboxed. That means an adversary targeting Edge would have to exploit a vulnerability in Edge and then escape the sandbox to cause harm. “MsMpEng is not sandboxed, meaning if you can exploit a vulnerability there it’s game over,” Yavo said.
Yavo also notes that while both bugs are tied to the same MsMpEng engine they exploit different aspects of the service. The vulnerability patched Thursday is tied specifically to the way the emulator processes files, whereas the previous vulnerability was tied to the MsMpEng’s JavaScript interpreter.
Ormandy notes another unique aspect of this bug in Microsoft’s Malware Protection Engine. “The emulator’s job is to emulate the client’s CPU. But, oddly Microsoft has given the emulator an extra instruction that allows API calls. It’s unclear why Microsoft creates special instructions for the emulator. If you think that sounds crazy, you’re not alone,” he wrote.
Microsoft did not issue a security advisory regarding this patch, as it did for the previous zero day. Users don’t have to take any action if their security products are set to the default, which will update their engines and definitions automatically.