Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw

[RV_]

Patch this one now. I didn't see the article until just now at 9PM Sun 28 May.

Excerpt:

"Microsoft quietly patched a critical vulnerability Wednesday in its Malware Protection Engine. The vulnerability was found May 12 by Google’s Project Zero team, which said an attacker could have crafted an executable that when processed by the Malware Protection Engine’s emulator could enable remote code execution.

Unlike a May 9 emergency patch for what Google researchers called the worst Windows vulnerability in recent memory, this week’s bug was a silent fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft. The previous zero day (CVE-2017-0290) was also in the Microsoft Malware Protection Engine, running in most of Microsoft’s antimalware offerings bundled with Windows.

“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”

That exposed the MsMpEng engine to a number of different problems such as giving attackers the ability to carry out various input/output control commands.

“Command 0x0C allows allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s)… Command 0x12 allows you to load additional “microcode” that can replace opcodes… Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata. This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result,”  Ormandy wrote.

Both Microsoft and Google did not return requests for comment.

“This was potentially an extremely bad vulnerability, but probably not as easy to exploit as Microsoft’s earlier zero day, patched just two weeks ago,” said Udi Yavo, co-founder and CTO of enSilo, in an interview with Threatpost.

The fact the MsMpEng isn’t sandboxed is also notable, said Yavo. He said most Windows applications such as Microsoft Edge browser are sandboxed. That means an adversary targeting Edge would have to exploit a vulnerability in Edge and then escape the sandbox to cause harm. “MsMpEng is not sandboxed, meaning if you can exploit a vulnerability there it’s game over,” Yavo said.

Yavo also notes that while both bugs are tied to the same MsMpEng engine they exploit different aspects of the service. The vulnerability patched Thursday is tied specifically to the way the emulator processes files, whereas the previous vulnerability was tied to the MsMpEng’s JavaScript interpreter."

 

More here with related hotlinks and info: https://threatpost.com/microsoft-quietly-patches-another-critical-malware-protection-engine-flaw/125951/?utm_source=newsletter&utm_medium=Email&utm_campaign=tp daily digest

[TheDuke]

I checked and no updates found or available, 7am.

[Biker56]

I just checked. And got this.

2017-05 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4020102)

[RV_]

Duke I got the same thing Biker got on all three desktops and three tablets here.

While some folks may have gotten them as said in the article, none of my systems did and all but one was in use Thursday and Friday. Here is the Microsoft 2017-05 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4020102) description of its content: https://support.microsoft.com/en-us/help/4020102/windows-10-update-kb4020102

I was concerned when all but my big 2720 installed it without a hitch. But my biggest most capable machine failed to install it on the first five tries!!

See the snip, I forgot to un-select the try that succeeded at the top, so it is still highlighted:

 

[Biker56]

My Desktop failed 6 times before it took.

My Laptop installed it on the first try.

[RV_]

Weird huh? Same here but with three tablets and a Lenovo all in one my Significant Harassment has for her main system, and my XPS 2720. The only tablet we have from the good old days of the first two years of Windows 8, October 2012-2014 is her Dell Venue 11 Pro, my Surface Pro 3 and the newest one, an ASUS T100CHI with an Atom Z3795, Full HD, and USB 3 micro ports, as well as 4 GB of RAM.

Her Venue 11 Pro Z3770, with only 2 GB of RAM is still a snappy computer for what she uses it for. In fact I would sell it but since she rarely uses it, and I get a full discharge and recharge on the monthly Windows updates, I think she will get another few years out of it. Even it got it the first try.

 

[TheDuke]

I have that update (1703) but it was installed May 10. 

[RV_]

Duke,

Click this link. https://support.microsoft.com/en-us/help/4020102/windows-10-update-kb4020102

That patch number

KB4020102

Was released in the Windows update system 25 May.

1703 is the number for the Creator's update. As named it is a cululative set of patches for Windows 1703, the Creator's upgrade from March I think.

If you are running that version of windows 10 then just click start, then the gear for Windows Settings, then click on "Update & security" and directly under the check for updates box which would start it looking for updates manually, (Don't click it) you will see Update history - click that and the list of quality updates comes first and then if you scroll down the category Other updates. You are only concerned with the first group. Each entry starts with the title of each update, which version it is for, and the actual update/patch number which allows you to get more information:

2017-05 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4020102)

2017-05 is the year and month the patch was delivered to the world

The rest confirms that you got the right patch for your version.

For folks running Windows 7 that will be in the first line instead of Windows 10. On my wife's 32 bit system it says x32 bit and on all my others it says x64.

Then the last numbers in parenthesis is the actual patch number. You can go online and just search what is KB4020102, then click the Microsoft result in the search, and you will be at the link I started this answer with.

So for that patch my entry in Update history says

2017-05 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4020102)

Successfully installed on 5/28/2017.

You can also get more information about each by clicking on the entry in Update history. 

Here is a 1 minute video showing how to get to update history for anyone who just dropped in and is confused about the topic.

https://www.youtube.com/watch?v=glAVrvat4Zg

 

 

[TheDuke]

Checking available updates finally got me that update. 

Issues 1. Didn't come down automatically even though I had turned off metering for this update only.

2. Failed 8 times before the 9th one was successful. 

3. All failures were within one cycle of downloading the update.

 

[RV_]

Duke,

Glad you finally got it. It locked the door on some bad malware. Funny how most systems took it first try, others, like my main system and yours and Biker's took four or six tries..