Microsoft has patched another vulnerability found by Google researcher Tavis Ormandy in its Malware Protection Engine. The company has not issued a security advisory. It did this with a previous vulnerability in the engine.
Ormandy writes that Microsoft released the patch last week after discovering the vulnerability on May 12. He reports that the engine, MsMpEng, includes a “full x86 emulator, which can run untrusted files that look like portable executables.” That emulator runs at the system level and does not include a sandbox. By sifting through the available APIs for the emulator, he found a way to “let emulated code take over the emulator.”
Udi Yavo, founder of security company enSilo, said in an interview with Threatpost that this is “a potentially very serious vulnerability, but one that is more difficult to exploit than the one previously patched by Microsoft.” He is referring to cve-2017-0290, which was fixed by Microsoft at the beginning of this month. This made it possible to remotely execute code on a vulnerable system, just like with the current vulnerability. The patch for the new vulnerability was released in version 1.1.13804.0 of MsMpEng, Ormandy said.
The researcher on Google’s Project Zero security team recently revealed how he works to find Windows bugs. So published he recently launched a GitHub project, which allows him to port Windows DLLs to Linux. As a demonstration of the operation, he transferred Windows Defender, of which MsMpEng forms the basis, to Linux. With this he wants to make it easier to perform fuzzing, without the need for a complete, virtualized environment. About the engine that forms the heart of MsMpEng, called Mpengine, he writes that it has “a huge and complex attack surface” and that all code is available to potential attackers.