[SingCERT] Alert on Microsoft Malware Protection Engine Critical Vulnerability (CVE-2017-11937)

Published on Sunday, 10 December 2017 21:47

Background
On 8 December 2017, Microsoft announced a critical remote code execution (RCE) vulnerability existing in the Microsoft Malware Protection Engine, which allows an attacker to take full control of an affected system.

The Malware Protection Engine is a software component that provides scanning, detection, and cleaning capabilities for Microsoft's brand of anti-malware products.

This vulnerability can be triggered when the Malware Protection Engine scans a file to check for threats. By delivering a specially crafted file to the system, an attacker can exploit the memory corruption error. This attack file would then be able to execute arbitrary code on the target machine with LocalSystem privileges

Affected products include:
Microsoft Endpoint Protection
Microsoft Exchange Server 2013 and 2016
Microsoft Forefront Endpoint Protection
Microsoft Security Essentials
Windows Defender for Windows 7, Windows 8.1, Windows 10 and Windows Server 2016
Windows Intune Endpoint Protection

Impact
An attacker who has successfully exploited this vulnerability could gain full control of the Windows operating system and perform a variety of malicious tasks ranging from installation of programs, viewing/changing/deleting data, to creating a rogue administrator account.
 
Recommendations
The Microsoft Malware Protection Engine is released along with anti-malware signatures. Users of affected products are advised to update their Microsoft Malware Protection Engine to version 1.1.14405.2 or higher immediately.

Users can follow this link on how to update the Malware Protection Engine.
 
Workaround
There is no known workaround for this vulnerability.
 
References
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11937
https://thehackernews.com/2017/12/windows-update-malware-protection.html