Microsoft patches another critical vulnerability in Malware Protection Engine

Microsoft has quietly patched a critical vulnerability in its Malware Protection Engine that Google's Project Zero team reported on 12 May.

The team said an attacker could have crafted an executable, which when processed by emulator of Malware Protection Engine could enable a remote code execution.

Project Zero researcher Tavis Ormandy, who privately disclosed this bug to Microsoft, said the company silently patched the bug.

"Command 0x0C allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s)," explained Ormandy in Chromium blog, "Command 0x12 allows you to load additional "microcode" that can replace opcodes."

"Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata (example attached). This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result," noted Ormandy.

Ormandy detailed another aspect of this bug in Microsoft's Malware Protection Engine saying, "The emulator's job is to emulate the client's CPU. But, oddly Microsoft has given the emulator an extra instruction that allows API calls. It's unclear why Microsoft creates special instructions for the emulator. If you think that sounds crazy, you're not alone."

Udi Yavo, co-founder and CTO of enSilo, in an interview with Threatpost said this vulnerability was potentially an extremely bad vulnerability, and not as easy to exploit as Microsoft's previous zero-day, which was patched two weeks ago.

He added the MsMpEng is not sandboxed, whereas most Windows applications such as Microsoft Edge browser are sandboxes. "MsMpEng is not sandboxed, meaning if you can exploit a vulnerability there it's game over," he said.

Yavo also notes this new vulnerability is tied to the way emulator processes files.