No system is perfect, and it’s expected that you’ll find flaws in it, even when it comes to the ones that were made by professionals like Microsoft. With that in mind, it would seem that they’ve made a pretty nasty one, and in a tool, that’s used in all of the modern systems.
The tool in question is called the Microsoft Malware Protection Engine, and the flaw could allow hackers to take complete control of victim’s PC. All of that by simply sending an email that didn’t even need to be opened in order to act. Luckily, the flaw was found, and the party responsible for it is once again – Google.
Two of Google’s researchers, Tavis Ormandy and Natalie Silvanovich spotted the bug as a part of their zero-day research several days ago. They both shared their findings on Twitter, where Ormandy described it as ‘crazy bad’ and even went as far as to call it the worst of its kind, at least in recent memory. He also stated that the vulnerability of this Engine is an extremely bad thing, mostly because of its privilege and ability to access everything.
Luckily, Microsoft has managed to prepare a quick patch, that should have already been received by all of the PCs that have the vulnerable tool.
The company posted an explanation for the flaw and stated that “If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.”
As we can see, the biggest problem is the way the MMPE (Microsoft Malware Protection Engine) scans the specially crafted files. By fixing the way in which this is done, Microsoft has fixed the vulnerability as well. The update should have already come automatically, and there’s no need to manually download anything, says Microsoft. However, their advisory will offer the instructions on how to check if the patch has arrived.
The problem with the MMPE was found in NScript, which is a component used for analyzing filesystems, as well as network activity. It didn’t validate the type of information that was running properly, and that lead to the ‘type confusion’ bug. Hackers could have hidden malicious codes in any file that the software would scan, and the system (Windows 8, 8.1, 10 as well as Windows Server systems) would have been infected.
Ormandy said that there’s no way to identify an exploit, which makes patches extremely urgent. Matthew Hickey, the co-founder of Hacker House, has said that the flaw looks severe, especially since all you need to do to hack Windows 8 or any version that came out after it is to send an email.
It was even suggested that it might be best to simply disable the entire malware detection system. Still, Microsoft did a very good job by preparing the patch as soon as they did, so good job there.