Intelligence Agencies Start Sharing Vulnerabilities – UK’s GCHQ Helps Microsoft Fix Flaws in Windows Defender


- Originally published on December 7

Microsoft is releasing an emergency security patch to fix a remote code execution bug in its Malware Protection Engine. Microsoft's Malware Protection Engine provides the scanning, detection, and cleaning capabilities for the company's antivirus and anti-spyware software. The Redmond software giant writes that the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file (that has been specially crafted) to check it for potential threats. Tracked as CVE-2017-11937, the flaw is believed to have been addressed before any misuses in the wild.

AMD and Microsoft Release Official Patches for Windows 11 Errors To Fix Ryzen CPU L3 & CCPC2 Issues

When Malware Engine needs protection from malware...

Microsoft said that attackers could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine to exploit a memory corruption bug enabling them to execute code remotely. "There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine," the company warned.

"For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server."

Attackers are then able to exploit this remote code execution vulnerability because Microsoft Malware Protection Engine fails to properly scan a specially crafted file, leading to memory corruption. Redmond explained (emphasis is ours).

"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The company added that if realtime scanning is not enabled, "the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited". The fix that has been released by the company addresses the vulnerability by correcting the way Microsoft Malware Protection Engine scans specially crafted files to avoid this exploit.

The security flaw affects Windows Defender in Windows 7, Windows 8.1, Windows 10, and Microsoft Security Essentials, Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016. Apparently, it was the UK's National Cyber Security Centre (NCSC) that discovered these flaws and helped Redmond software giant fix them. GCHQ and other intelligence agencies are notorious for hoarding vulnerabilities for their own surveillance uses. It appears that they may be changing their ways a little to appear more helpful to tech companies.

More details about the affected products and the bug that has been rated as critical are available over at Microsoft. The company said that the patch should be installed automatically.

Earlier: Intel Management Engine Flaws Continue to Create Security Nightmares