Last week, the UK National Cyber Security Centre (NCSC) issued a warning for government institutions against the use of the Russian company Kaspersky’s products on computers handling confidential information. According to the experts, Kaspersky’s anti-malware solutions could be used by the Russian government for cyber espionage attacks, and therefore threaten the UK national security. While the NCSC was working on resolving the concerns, and on analyzing various anti-malware solutions, a major vulnerability in Microsoft systems came to light.
The analysis of a probe of Microsoft’s antivirus product revealed a critical bug in the company’s Malware Protection Engine that powers the majority of Microsoft security products, including its default antivirus Windows Defender. Since that was a critical flaw which allowed attackers to execute remote code on an unpatched machine and take full control of the device, Microsoft rolled out immediately an emergency update at the end of last week which patched the vulnerability.
The vulnerability was called CVE-2017-11937, and it was found on Windows 7, Windows 8.1, Windows RT 8.1, and Windows 10, as well as on Windows Server employing Microsoft anti-virus solutions like Microsoft Security Essentials, Endpoint Protection, Windows Defender, and Intune Endpoint Protection. Apparently, the problem was in the way the Malware Protection Engine scanned files for malware. It could be tricked into causing memory corruption through a specially crafted file, allowing hackers to execute arbitrary code on the targeted machine. This would result in the attackers getting full control over the system by giving them administrator privileges. For such an attack to be successful, the hackers needed to deploy the specially crafted file on the targeted computer, whereby this could be done in a number of ways, including messaging apps, email, and links that lead to websites hosting the malicious file. Computers with real-time protection seem more vulnerable since then Microsoft Malware Protection Engine scans files automatically, meaning in this case the vulnerability would be exploited immediately. If the real-time scanning feature is not enabled, the vulnerability would be exploited during the next scheduled scan.
The patch fixed the way the Malware Protection Engine scans crafted files so that no memory corruption is triggered. Therefore, attackers should no longer be able to breach systems through this type of attack. The update was released on December 9, 2017, and it should apply on all affected systems within 48 hours of release. The company also declared the issue was resolved silently together with the UK spy agency without any notice to the public. Microsoft says it is not aware of any exploits so far and classifies such exploitation as “less likely.” Anyway, all users of Windows are advised to check if they have the proper version 1.1.14405.2 of the Malware Protection Engine on their machines.