Microsoft has released a critical update for a major security hole in its Malware Protection Engine (MPE), described by Google's Tavis Ormandy as 'the worst Windows remote code exec[ution vulnerability] in recent history.'
Designed, ironically, to protect Windows systems against malware attack, the Malware Protection Engine (MPE) comes loaded into Windows by default in the guise of Windows Defender or Security Essentials, while corporate users may know it under the names Forefront Endpoint Protection, Microsoft Endpoint Protection, Forefront Security for SharePoint, System Centre Endpoint Protection, or Windows Intune Endpoint Protection. Whatever name it goes under, however, if unpatched it is trivially exploitable for remote code execution under the system privilege level - a serious security issue for all Windows users.
'I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad,
' reported Google security researcher Tavis Ormandy on Twitter
following the discovery of the flaw by the company's Project Zero security team. Microsoft, having received Ormandy's report, responded quickly in verifying the issue and issuing a patch with a security advisory
published late last night.
'The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file,
' Microsoft explains in its advisory notice. 'An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
Exploitation of the vulnerability is, unfortunately, trivial. As with many remote code execution vulnerabilities, the most common method is to deliver a malicious file through the web browser by tricking the user into visiting a certain link or by injecting the malware into advertising delivery networks; an easier alternative for this flaw, though, comes in the ability to exploit the vulnerability simply by sending a malicious email, even if the user never actually opens the email in question.
An update for all products using the Malware Protection Engine has now been issued, and will be installed automatically.