The more security researchers dissect Microsoft’s Malware Protection Engine (MsMpEng), which is found in most Windows security products, the more it shows major cracks. Most recently, researcher Tavis Ormandy (of Google’s Project Zero team) disclosed an initially private bug report regarding “apicall’ instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows.”
His initial question was whether or not Microsoft had designed the “apicall” instruction to be deliberately exposed, and when Microsoft confirmed that it indeed was deliberate, Ormandy proceeded to create a fuzzer (a powerful coded tool for pen-testing and hacking) to find bugs. Immediately the fuzzer exposed a heap corruption in the KERNEL32.DLL!VFS_Write API.
Heap corruptions are dangerous as they can crash the program or cause it to behave abnormally. In this case it allows for an attacker to leverage the corrupted memory to create a remote code execution attack. Microsoft eventually began working on a patch that was released just recently. The patch is considered critical because the vulnerability affects popular products like Endpoint Protection, Security Essentials, and Defender.
In a statement that was a part of its patch report, Microsoft said the following, which echoed the bug report:
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system … An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft also clarified, in a way to mitigate the damage, that x86 or 32-bit versions of MsMpEng were the only versions at risk. The patch in most cases should update automatically, but you should make sure that the update is installed anyway.
As Kaspersky Lab’s Threatpost points out, this is only the latest of numerous issues for MsMpEng as there have been patches stretching all the way back to early May. Microsoft’s security programs, at the very core level, are proving to be incredibly flawed, and this should serve as a lesson to the company when they make future security products. The QA testing period must be far more rigorous moving forward, as they cannot afford to put a large number of their customer base at risk to cyberattacks.
Photo credit: Pixabay