Microsoft has quietly pushed out another fix for their virus scanning engine in Windows Defender, the MsMpEng malware protection engine.
Just like the last “crazy bad” vulnerability, this one was also discovered by Google’s Project Zero researcher Tavis Ormandy, but this time he privately disclosed it to Microsoft, showing the criticism he attracted last time for his public disclosure has had some effect.
The vulnerability would allow applications executed in MsMpEng’s emulator to control the emulator to achieve all kinds of mischief, including remote code execution when Windows Defender scanned an executable sent by email.
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed. Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”
“The emulator’s job is to emulate the client’s CPU. But, oddly Microsoft has given the emulator an extra instruction that allows API calls. It’s unclear why Microsoft creates special instructions for the emulator. If you think that sounds crazy, you’re not alone,” he wrote.
“Command 0x0C allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s)… Command 0x12 allows additional “microcode” that can replace opcodes… Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata. This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result,” Ormandy wrote.
“This was potentially an extremely bad vulnerability, but probably not as easy to exploit as Microsoft’s earlier zero day, patched just two weeks ago,” said Udi Yavo, co-founder and CTO of enSilo, in an interview with Threatpost.
Yavo criticised Microsoft for not sandboxing the antivirus engine.
“MsMpEng is not sandboxed, meaning if you can exploit a vulnerability there it’s game over,” Yavo said.
The issue was found on the 12th May by the Google’s Project Zero team, and the fix sent out last week by Microsoft, who have not posted an advisory. The engine is regularly automatically updated, meaning most users should no longer be vulnerable.
Microsoft is coming under increasing pressure to secure their software, with the company asking for greater cooperation from governments and to create a Digital Geneva Convention to help keep users safe.