Biz & IT —

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

PCs can be compromised when Defender scans an e-mail or IM; patch has been issued.

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable
Timothy A. Clary/AFP/Getty Image

Microsoft on Monday patched a severe code-execution vulnerability in the malware protection engine that is used in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016), just three days after it came to its attention. Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs.

The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it's simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft's malware protection engine—websites, file shares—could be used as an attack vector. Tavis Ormandy, one of the Google Project Zero researchers who discovered the flaw, warned that exploits were "wormable," meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.

Microsoft's speed in issuing an automatic patch was impressive. Word of the critical flaw first surfaced in a Friday night series of tweets by Ormandy. He called it "the worst Windows remote code exec in recent memory" and warned that an attacks "work against a default install, don't need to be on the same LAN, and it's wormable." Most security experts assumed Microsoft would require several weeks to patch it. To their surprise, Microsoft pushed out the patch Monday evening.

Because MsMpEng runs at the highest privilege level and is so ubiquitous across Windows PCs, this vulnerability is about as bad as it gets. Fortunately, the security researchers who discovered it—Natalie Silvanovich and Ormandy both with Google Project Zero—privately reported technical details, and last night Microsoft announced the patch. MsMpEng automatically updates every 48 hours, so disaster has probably been averted. The security bulletin notes that Microsoft hadn't seen any public exploitation of the vulnerability.

The vulnerability itself, though, is worth discussing because it once again calls into question whether antivirus software is a good idea.

The Google researchers found that MsMpEngine contains a component called NScript that analyses any filesystem or network activity that looks like JavaScript. NScript isn't sandboxed and runs at a very high privilege level, and it's used to evaluate untrusted code by default on almost every modern Windows system. "This is as surprising as it sounds," the bug report says.

NScript can be exploited with a few lines of JavaScript, which can be injected via a specially crafted Web page, e-mail, or just about any other attack vector. That's one of the big problems with anti-malware software: by trying to protect the system from every angle, they also expose their own vast attack surface. The attack could come in the form of a zip file, an emulator ROM, an interpreted Python file, over the LAN...

There is proof-of-concept code attached to the bug report, but amusingly it will crash MsMpEngine "and possibly destablise your system" if you download it. "Extra care should be taken sharing this report with other Windows users via Exchange, or Web services based on IIS, and so on," the researchers note.

Microsoft says the risk of remote code execution is lower on Windows 10 and Windows 8.1 because of CFG, a security feature that protects against memory corruption. CFG is an optional compilation flag in Visual Studio 2015.

To check whether your Windows PC has been updated, head to "Windows Defender settings" and note the Engine version number. 1.1.13704.0 or higher means you've been patched. And now just sit back and wait for the next vulnerability.

Now read about the rise of the zero-day market, or why we should stop using antivirus software...

Listing image by Timothy A. Clary/AFP/Getty Image

Channel Ars Technica