Microsoft patches critical Malware Protection Engine flaw
Microsoft has patched a remote code execution vulnerability impacting the Microsoft Malware Protection Engine – mpengine.dll – which provides the scanning, detection and cleaning capabilities for Microsoft’s various anti-virus and anti-spyware software including Windows Defender.
The Microsoft Malware Protection Engine provides scanning, detection and cleaning capabilities for security software made by the company. The engine is affected by a flaw that can be exploited for remote code execution when a specially crafted file is scanned.
The malicious file can be delivered via a website, email or instant messenger. The Malware Protection Engine will automatically scan the file (if real-time protection is enabled) and allow the attacker to execute arbitrary code in the context of the LocalSystem account, which can lead to a complete takeover of the targeted system.
On systems where real-time scanning is not enabled, the exploit will still get triggered, but only when a scheduled scan is initiated.
To exploit the vulnerability, Microsoft says a specially crafted file must be scanned by an unpatched version of the Microsoft Malware Protection Engine. An attacker could deliver the file in a variety of ways – by using a malicious website, through e-mail, by uploading it to a shared directory or even via a messaging client.
An attacker that successfully exploits the vulnerability could take control of a system and install programs. Bad actors could also view, change or delete data and even create new accounts with full user rights.
The update, Microsoft said, corrects the manner in which the Microsoft Malware Protection Engine scans specially crafted files.
Updates to the Microsoft Malware Protection Engine are typically released once a month although in cases like this, exceptions are made.
Fortunately, no action is required by end users. The built-in mechanism for detection and deployment of updates should automatically apply the patch within 48 hours of release although Microsoft says the exact timeframe will depend on software used, your Internet connection and infrastructure configuration.
The Microsoft Malware Protection Engine provides scanning, detection and cleaning capabilities for security software made by the company. The engine is affected by a flaw that can be exploited for remote code execution when a specially crafted file is scanned.
The malicious file can be delivered via a website, email or instant messenger. The Malware Protection Engine will automatically scan the file (if real-time protection is enabled) and allow the attacker to execute arbitrary code in the context of the LocalSystem account, which can lead to a complete takeover of the targeted system.
On systems where real-time scanning is not enabled, the exploit will still get triggered, but only when a scheduled scan is initiated.
To exploit the vulnerability, Microsoft says a specially crafted file must be scanned by an unpatched version of the Microsoft Malware Protection Engine. An attacker could deliver the file in a variety of ways – by using a malicious website, through e-mail, by uploading it to a shared directory or even via a messaging client.
An attacker that successfully exploits the vulnerability could take control of a system and install programs. Bad actors could also view, change or delete data and even create new accounts with full user rights.
The update, Microsoft said, corrects the manner in which the Microsoft Malware Protection Engine scans specially crafted files.
Updates to the Microsoft Malware Protection Engine are typically released once a month although in cases like this, exceptions are made.
Fortunately, no action is required by end users. The built-in mechanism for detection and deployment of updates should automatically apply the patch within 48 hours of release although Microsoft says the exact timeframe will depend on software used, your Internet connection and infrastructure configuration.
