Date:05/04/18
Yesterday, April 3, Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a vulnerability in the Microsoft Malware Protection Engine (MMPE).
MMPE (mpengine.dll) is the malware scanning, detection, and cleaning component of several Microsoft antivirus and antispyware programs, such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.
A Google security researcher discovered a flaw in the MMPE component that allows attackers to execute malicious code on a Windows machine. Because the MMPE component runs with system privileges, the bug, if exploited, can grant attackers complete control over a victim's system.
Microsoft rated the vulnerability as "critical," its highest severity level. "To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine," the company said in an advisory.
Exploitation is trivial, as an attacker can host the malicious code inside JavaScript files served over a website the victim is accessing, add the malicious code to email file attachments, or send a boobytrapped file to a victim via an instant messaging client.
Because the MMPE component automatically scans all incoming files by default, no user interaction is needed to exploit the flaw.
Furthermore, on Windows 10, Windows Defender is enabled by default, so all Windows 10 systems are vulnerable out-of-the-box and will require an update.
The good news is that Microsoft decoupled MMPE component updates from OS updates, meaning Microsoft can silently deliver the necessary patches without needing user interaction.
The OS maker has fixed the flaw in MMPE version 1.1.14700.5, which should be deployed on all vulnerable systems in the next 48 hours unless system admins and PC owners have specifically blocked MMPE updates via local policies.
Microsoft credited Thomas Dullien of Google Project Zero for discovering the CVE-2018-0986 vulnerability. This is the fourth similar MMPE remote code execution bug that the Project Zero team has discovered in Microsoft's Malware Protection Engine [1, 2, 3]. The UK's GCHQ spy agency found and reported a similar MMPE bug last December.
Microsoft Out-Of-Band Security Update Patches Malware Protection Engine Flaw
Yesterday, April 3, Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a vulnerability in the Microsoft Malware Protection Engine (MMPE).MMPE (mpengine.dll) is the malware scanning, detection, and cleaning component of several Microsoft antivirus and antispyware programs, such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.
A Google security researcher discovered a flaw in the MMPE component that allows attackers to execute malicious code on a Windows machine. Because the MMPE component runs with system privileges, the bug, if exploited, can grant attackers complete control over a victim's system.
Microsoft rated the vulnerability as "critical," its highest severity level. "To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine," the company said in an advisory.
Exploitation is trivial, as an attacker can host the malicious code inside JavaScript files served over a website the victim is accessing, add the malicious code to email file attachments, or send a boobytrapped file to a victim via an instant messaging client.
Because the MMPE component automatically scans all incoming files by default, no user interaction is needed to exploit the flaw.
Furthermore, on Windows 10, Windows Defender is enabled by default, so all Windows 10 systems are vulnerable out-of-the-box and will require an update.
The good news is that Microsoft decoupled MMPE component updates from OS updates, meaning Microsoft can silently deliver the necessary patches without needing user interaction.
The OS maker has fixed the flaw in MMPE version 1.1.14700.5, which should be deployed on all vulnerable systems in the next 48 hours unless system admins and PC owners have specifically blocked MMPE updates via local policies.
Microsoft credited Thomas Dullien of Google Project Zero for discovering the CVE-2018-0986 vulnerability. This is the fourth similar MMPE remote code execution bug that the Project Zero team has discovered in Microsoft's Malware Protection Engine [1, 2, 3]. The UK's GCHQ spy agency found and reported a similar MMPE bug last December.
Views: 437
©ictnews.az. All rights reserved.
Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World
