Less than three weeks after the Google Project Zero researcher Tavis Ormandy reported the worst Windows remote code exec in recent memory …🔥🔥🔥, another critical vulnerability was patched by Microsoft Wednesday last week in its Malware Protection Engine.
The vulnerability is said to allow an attacker to craft an executable that when processed by the Malware Protection Engine’s emulator, could enable remote code execution.
Tavis Ormandy, the project Zero researcher who disclosed the exploit to Microsoft privately wrote that “MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed. Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”
This potentially exposed the MsMpEng engine to a number of different problems such as giving attackers the ability to carry out various input/output control commands.
Udi Yavo, co-founder and CTO of enSilo calls it “potentially an extremely bad vulnerability” though not easily as exploitable as Microsoft’s earlier zero day that was patched just three weeks ago.
While Microsoft has not commented on this at least publicly, Threatpost (the source of this story) says that users don’t have to take any action if their security products are set to the default, which will update their engines and definitions automatically.
However, if you for any reason have disabled Windows Security Auto Update, you may want to run a quick scan and install any updates if available.