A critical security flaw in the code for Microsoft’s Malware Protection Engine was repaired by the company within two days after first being reported by two researchers , helping to lock down the code to prevent malicious attacks against users.
In a May 8 security advisory, Microsoft acknowledged the update for its Malware Protection engine, which addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially-crafted file, leading to memory corruption. “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” the company reported. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Several Microsoft anti-malware products feature the Microsoft Malware Protection Engine , including Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Forefront Security for SharePoint Service pack 3, Microsoft System Center Endpoint Protection, Microsoft Security Essentials, Microsoft Intune Endpoint Protection and Windows Defender for Windows versions 7, 8.1, RT 8.1, 10 1511, 10 1607, Windows Server 2016 and Windows 10 1703.
The patch automatically updates the Microsoft Malware Protection Engine and also provides updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly, the company states in its advisory.
“Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release,” the company added.
The versions of the Malware Protection Engine which are affected by the vulnerability range from Version 1.1.13701.0 to Version 1.1.13704.0. If a user’s version of the Microsoft Malware Protection Engine is equal to or greater than these versions, then they are not affected by this vulnerability and do not need to take any further action.
The Microsoft Malware Protection Engine helps ensure that malware definitions and the its own operations are kept up to date automatically inside applications. Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats.
To prevent security breaches due to the vulnerability, Microsoft recommends that users verify that the updates were installed and if needed, install the updates manually.
Microsoft said it had not received any information to indicate that the vulnerability had been publicly used to attack customers when its security alert was issued.
The vulnerability was first reported May 6 by Tavis Ormandy and Natalie Silvanovich , both of whom work for Google as vulnerability researchers. Ormandy later tweeted his congratulations to Microsoft for patching the vulnerability so quickly . “Still blown away at how quickly @msftsecurity responded to protect users, can’t give enough kudos,” he wrote. “Amazing.”
Charles King, principal analyst with research firm Pund-IT, told ITPro that Microsoft’s actions to resolve the security flaw almost immediately were on target.
“By most any measure, this was a serious vulnerability,” he wrote in an email reply. “The fact that it existed in Microsoft’s Malware Protection Engine was also more than a little ironic. After all, customers have reasonable expectations that malware protection technologies should do exactly that – not offer cyber criminals unexpected new attack vectors.”
King said that “it’s entirely unsurprising that Microsoft would address the issue quickly and completely. Anything less would smack of negligence.”
Greg Young, a security analyst with Gartner, told ITPro he was also impressed with Microsoft’s very fast actions concerning the vulnerability.
“One of the most responsible vendors had this vulnerability and they took it very seriously,” said Young. “Their reaction time [of two days] was stunning, unheard of before.”
Typically the timeline for software vulnerability reports being investigated and resolved with patches can take 30 to 90 days, said Young. “This is the best reaction we’ve seen. It’s almost like a terrible fire happened right next to the best fire station in town.”
The incident does, however, highlight a bigger problem in recent years – that of hackers directly targeting security products to aim their exploits and attacks, said Young.
“The rates of vulnerabilities in security products now has become unacceptably high,” partly because there is little or no oversight on the products today, compared to the past when security products often received third-party accreditations, he said. “We used to have with government-funded lab testing, but it’s not there anymore” due to budget cuts and an ability for such programs to keep up with the fast-moving changes in IT. “It’s not good.”
Another problem, he said, is that some software companies spend more money on marketing for their security products than they do on research and development, which means that products aren’t built well enough to stand up to attacks.
“We’ve seen a lot of security vendors have trouble,” he said.