[CERT ALERT] Critical vulnerability in Microsoft Malware Protection Engine

Olivier Chatail Alerte CERT

A vulnerability has been identified very recently by Google Project Zero in Microsoft’s protection engine :

  • CVE-2017-0290 : Remote Code Exploitation in Microsoft Malware Protection Engine

The security fix KB890830 has now been delivered via Windows updates for workstations.

The associated risk is critical since this vulnerability leads to remote code execution on recent Windows operating systems (workstations and servers) and can be exploited via several different infection vectors.

Devoteam CERT teams recommend an immediate upgrade of the aforementioned application.


Affected products

The vulnerable component is MsMpEng, Microsoft core security engine, in its versions prior to 1.1.13704.0.

This component is used by several products, as Microsoft indicates in its Advisory 4022344, published on the 8th of May :

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender for Windows 7
  • Windows Defender for Windows 8.1
  • Windows Defender for Windows RT 8.1
  • Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
  • Windows Intune Endpoint Protection


Technical details

MsMpEng is a core component for Windows security tools. It facilitates malware detection via, among others, file analysis using its engine mpengine.

It is executed as NT AUTHORITY\SYSTEM and is not sandboxed, a remote code execution on this component might give the attacker full control of the target host.

MsMpEng permits real time protection via analysis of the files as soon as they hit the filesystem. To do so, it deploys a minifilter driver WdFilter which, when a file is written to disk, decide whether or not to send it to its internal protection engine mpengine.

This decision is based, according to Google teams, on the file’s entropy. It is then analyzed by a specific module of mpengine for its “guessed” file type.

The vulnerability, a missing input validation, has been found in one of these modules called NScript. NScript aims to evalute security of what “looks like Javascript” according to a Google’s PoC comment.

The vulnerability can then be exploited writing a file on the filesystem whose structure “looks like” Javascript with a sufficient entropy score (to get scanned by MsMpEng).

The attack surface is quite enormous and will probably lead to massive remote code execution.

Attack scenarios concern both servers (upload of file on IIS, mail sent or transferred via Exchange) and workstations (receiving an attachment, downloading a file…).