A new Windows zero-day exploit has been discovered, and it's possibly one of the most serious vulnerabilities to date. It targets Windows Defender's Microsoft Malware Protection Engine (MsMpEng), tricking it into executing code when the engine scans a file.
What makes the bug so serious is how MsMpEng operates: It uses a filesystem minifilter to inspect every single bit of filesystem activity. That means anything that writes to a hard disk--temp files, downloads, caches, email attachments ... everything.
There's no better way to describe the severity of this vulnerability than how Project Zero said it in their bug report: "Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service."
Luckily there's already a patch available.
How the exploit works
It starts when a user visits a site where an infected file lives. Or a local email client downloads an email, an attachment comes via a chat message, or anything else happens that involves writing data to the local disk, which is pretty much everything.
SEE: Zero day exploits: The smart person's guide (TechRepublic)
Many anti-malware programs will start a scan if real-time protection is turned on. The second the infected file is scanned it activates, giving outside users access to the LocalSystem account. Once in, a hacker has total access and control of a machine.
The exploit is a serious problem and is even worse when real-time protection is on. Without it the infected file will activate only when the system is scanned--but you won't know it's there until it's too late.
Who is affected?
There's a laundry list of systems affected by the MsMpEng bug. If you're running one of these systems you need to do an emergency update right away:
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Endpoint Protection
- Microsoft Forefront Security for SharePoint Service Pack 3
- Microsoft System Center Endpoint Protection
- Microsoft Security Essentials
- Windows Defender for Windows 7
- Windows Defender for Windows 8.1 and RT 8.1
- Windows Defender for Windows 10
- Windows 10 1511, Windows 10 1607
- Windows Server 2016
- Windows 10 Creator's Update
- Windows Intune Endpoint Protection
SEE: Zero Days: Why the disturbing Stuxnet documentary is a must-see (TechRepublic)
There's technically no need for systems administrators to act on this one--the patch will be deployed automatically to affected systems. It's still a good idea to jump on it now, however, which you can do by manually installing the update.
Microsoft says there haven't been any reports of the exploit found in the wild, but don't take that chance.
The three big takeaways for TechRepublic readers:
- Researchers with Google's Project Zero found a vulnerability with Microsoft's Windows Defender's Microsoft Malware Protection Engine that allowed hackers to gain access to a system by causing virus scans to execute code hidden in an infected file.
- The exploit is incredibly easy to trigger: Anything that causes data to be written to a disk starts the Protection Engine's scan and could activate the code.
- Microsoft has already released a patch that will automatically install during updates, but for extra security you can install it manually.
- Gallery: The top zero day Dark Web markets (TechRepublic)
- Microsoft releases emergency patch for 'crazy bad' Windows zero-day bug (ZDNET)
- From vulnerability to exploit in 96 minutes, or why software fire drills are necessary (TechRepublic)
- Windows 10: DoubleAgent zero-day hijacks Microsoft tool to turn antivirus into malware (ZDNET)
- Microsoft Office vulnerabilities mean no .doc is safe (CBS News)