Intelligence Agencies Start Sharing Vulnerabilities – UK’s GCHQ Helps Microsoft Fix Flaws in Windows Defender

– Originally published on December 7

Microsoft is releasing an emergency security patch to fix a remote code execution bug in its Malware Protection Engine. Microsoft’s Malware Protection Engine provides the scanning, detection, and cleaning capabilities for the company’s antivirus and anti-spyware software. The Redmond software giant writes that the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file (that has been specially crafted) to check it for potential threats. Tracked as CVE-2017-11937, the flaw is believed to have been addressed before any misuses in the wild.

Related Microsoft Releases Critical Update to Fix Windows 10 BSOD Error on HP Devices

When Malware Engine needs protection from malware…

Microsoft said that attackers could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine to exploit a memory corruption bug enabling them to execute code remotely. “There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine,” the company warned.

“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”

Attackers are then able to exploit this remote code execution vulnerability because Microsoft Malware Protection Engine fails to properly scan a specially crafted file, leading to memory corruption. Redmond explained (emphasis is ours).

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The company added that if realtime scanning is not enabled, “the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited”. The fix that has been released by the company addresses the vulnerability by correcting the way Microsoft Malware Protection Engine scans specially crafted files to avoid this exploit.

Related Windows 10 October 2018 Update Re-Release Begins with Insiders (Cumulative Update Is Also Out)

The security flaw affects Windows Defender in Windows 7, Windows 8.1, Windows 10, and Microsoft Security Essentials, Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016. Apparently, it was the UK’s National Cyber Security Centre (NCSC) that discovered these flaws and helped Redmond software giant fix them. GCHQ and other intelligence agencies are notorious for hoarding vulnerabilities for their own surveillance uses. It appears that they may be changing their ways a little to appear more helpful to tech companies.

More details about the affected products and the bug that has been rated as critical are available over at Microsoft. The company said that the patch should be installed automatically.

– Earlier: Intel Management Engine Flaws Continue to Create Security Nightmares

Tweet Share
View Comments


Patch Tuesday Cumulative Updates Are Live for Windows 10 April 2018 Update, Fall Creators Update, and Other Versions of the OS

Beware! Disk Cleanup in Windows 10 October 2018 Update Can Empty Your Downloads Folder

Amid October 2018 Update Chaos, Microsoft Bumps Windows 10 Home Price

Microsoft Hits Pause on Windows 10 October 2018 Update Rollout Due to Missing Files Issue

Upgraded to Windows 10 October 2018 Update and Lost Your Files? Here's How to Restore Your Data