Microsoft Patches Critical Malware Protection Engine Vulnerability

Microsoft patched a critical vulnerability in the Microsoft Malware Protection Engine present in Windows Defender, Microsoft Security Essentials, and other tools. The flaw was privately reported on Google's Project Zero disclosure platform on May 3 and publicly revealed on May 8 when Microsoft published a security advisory for its customers.

The company said in that security advisory that attackers could exploit the vulnerability to "install programs; view, change, or delete data; or create new accounts with full user rights." Doing so would have required attackers to make a "specially crafted file" meant to be scanned by the Microsoft Malware Protection Engine. Once those scans occur, the file then exploits this vulnerability to compromise and take over the targeted system.

It gets worse. The researchers who found the vulnerability said that you don't even have to download or open malicious files to be compromised:

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc.) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

That makes exploiting this vulnerability easier than it would have been if you had to download and open a malicious file. This led the company to say that "vulnerabilities in MsMpEng are among the most severe possible in Windows" because of the service's "privilege, accessibility, and ubiquity." They didn't find an issue with a specific Microsoft product; they found a critical problem in a tool that serves as the foundation for many other utilities.

"Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on," the researchers said. "All of this code is accessible to remote attackers." The good news: Microsoft said in its advisory that it has no evidence of this vulnerability being exploited before its disclosure.

What does this mean for you? Probably nothing. By default, tools that rely on the Microsoft Malware Protection Engine are kept up to date automatically for both Microsoft's business customers and general consumers. If you've tinkered with the settings to prevent these automatic updates, however, you should install this patch to make sure an attacker can't exploit this now-public vulnerability on your system.

You can learn how to install the update or verify that it was automatically installed via Microsoft's knowledge base. And just in case you missed it last week, you might want to make sure you keep an eye out for any firmware updates for Intel processors, because a recently disclosed vulnerability in the company's Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) software was publicly revealed on May 1. The vulnerability affects all Intel chips released since 2008, including the new-ish Kaby Lake processors.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • Mister-S
    M$ The land of vulnerabilities!
  • dennisburke
    An interesting and timely article. I just downloaded and installed Microsoft's monthly rollout. There was one update that 'Failed': "Definition Update for Microsoft Security Essentials -KB2310138 (Definition".
  • Danra
    Micro$haft's new Windows 10 update removes some customization ability by consumers:

    As of 9 May 2017 the following have been removed from the "Serivces" window:
    Connected User Experiences and Telemetry
    Under Settings, Privacy, Feedback and diagnostics, it is greyed out.
    Under Settings, System, Apps and Features have been removed