Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Microsoft fixes another 'potentially extremely bad' vulnerability found by Google researcher

CrAKeN

By CrAKeN
in Security & Privacy News

Recommended Posts

CrAKeN

CrAKeN

Posted
Posted

microsoft-security.jpg

 

Google's Project Zero researcher Travis Ormandy seems to have a way with Windows exploits. Just three days after he revealed what he called a 'crazy bad vulnerability' in Windows earlier this month, he was back at it again with another critical exploit in Microsoft's Windows Defender.

 

Just like the last zero-day, this exploit had to do with the Malware Protection Engine used by Microsoft; Ormandy explained the technical details of the exploit as follows:

 

Quote

MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed. Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.

 

What this allows in practice is both an invasion of your privacy - an attacker could query your local files via Defender's scan results - and, at worst, possible remote execution of nefarious code on your system.

 

Unlike the previous exploit, however, Ormandy did not publicly disclose the vulnerability via Twitter, instead choosing to contact Microsoft directly, which last week pushed out an update that fixed the issue.

 

Udi Yavo, another researcher, classified the discovery as being "potentially an extremely bad vulnerability, but probably not as easy to exploit as Microsoft’s earlier zero day, patched just two weeks ago." Both Yavo and Ormandy also took issue with Microsoft's implementation of the Malware Protection Engine, criticizing Microsoft's decision to not run it in a sandbox, and the inclusion of extra instructions that allow the engine to make API calls.

 

Source

Link to comment
Share on other sites
  • Replies 1
  • Views 556
  • Created
  • Last Reply
straycat19

straycat19

Posted
Posted

Microsoft has released a silent fix for a critical vulnerability in Malware Protection Engine. An attacker could create a malicious executable that when processed by the Malware Protection Engine's emulator would allow remote code execution. Microsoft learned of the flaw on May 12 and fixed it on Wednesday, May 24. The issue was patched automatically if users have configured their systems for automatic updates.
 

Article

 

More Info

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...