Microsoft Releases Security Advisory for Microsoft Malware Protection Engine
Microsoft released a security advisory on Tuesday to warn customers of a vulnerability (CVE-2014-2779) in the Microsoft Malware Protection Engine that could cause a denial of service condition if the engine scans a “specially crafted file”.
If successfully exploited, the vulnerability could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted, Microsoft said.
There are several ways an attacker could place a maliciously crafted file in a location scanned by the Microsoft Malware Protection Engine in order to exploit the vulnerability and crash a system or halt malware protection scanning.
“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user,” Microsoft explained. “An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
The vulnerability could also cause an application to close or quit unexpectedly without automatically recovering, and exploitation of the vulnerability could occur when the system is scanned using an affected version of Microsoft’s Malicious Software Removal Tool (MSRT).
The Microsoft Malware Protection Engine (mpengine.dll) ships with several Microsoft antimalware products and provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.
Microsoft has provided updates for the following affected software:
• Microsoft Forefront Client Security
• Microsoft Forefront Endpoint Protection 2010
• Microsoft Forefront Security for SharePoint Service Pack 3
• Microsoft System Center 2012 Endpoint Protection
• Microsoft System Center 2012 Endpoint Protection Service Pack 1
• Microsoft Malicious Software Removal Tool (Applies only to May 2014 or earlier versions)
• Microsoft Security Essentials
• Microsoft Security Essentials Prerelease
• Windows Defender for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2
• Windows Defender for Windows RT and Windows RT 8.1
• Windows Defender for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
• Windows Defender Offline
• Windows Intune Endpoint Protection
For the most part, no action is required of enterprise administrators or end users to install the update, but Microsoft suggested that administrators of enterprise installations follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.
According to Microsoft, the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release, with the exact time frame depending on the software used, Internet connection, and infrastructure configuration.
Tavis Ormandy of Google Project Zero reported the bug to Microsoft, and it is not believed that the vulnerability has been exploited in the wild.
