[SingCERT] Alert on Microsoft Malware Protection Engine Critical Vulnerability (CVE-2017-11937)

Published on Sunday, 10 December 2017 21:47

On 8 December 2017, Microsoft announced a critical remote code execution (RCE) vulnerability existing in the Microsoft Malware Protection Engine, which allows an attacker to take full control of an affected system.

The Malware Protection Engine is a software component that provides scanning, detection, and cleaning capabilities for Microsoft's brand of anti-malware products.

This vulnerability can be triggered when the Malware Protection Engine scans a file to check for threats. By delivering a specially crafted file to the system, an attacker can exploit the memory corruption error. This attack file would then be able to execute arbitrary code on the target machine with LocalSystem privileges

Affected products include:
Microsoft Endpoint Protection
Microsoft Exchange Server 2013 and 2016
Microsoft Forefront Endpoint Protection
Microsoft Security Essentials
Windows Defender for Windows 7, Windows 8.1, Windows 10 and Windows Server 2016
Windows Intune Endpoint Protection

An attacker who has successfully exploited this vulnerability could gain full control of the Windows operating system and perform a variety of malicious tasks ranging from installation of programs, viewing/changing/deleting data, to creating a rogue administrator account.
The Microsoft Malware Protection Engine is released along with anti-malware signatures. Users of affected products are advised to update their Microsoft Malware Protection Engine to version 1.1.14405.2 or higher immediately.

Users can follow this link on how to update the Malware Protection Engine.
There is no known workaround for this vulnerability.