Microsoft scrambled to patch a critical Windows flaw following a British intelligence organization discovering and disclosing the exploit to the company. The flaw in question, CVE-2017-11937, was uncovered by the UK’s National Cyber Security Centre (NCSC), which is a part of the Government Communications Headquarters (GCHQ) intelligence agency.
CVE-2017-11937, as Microsoft wrote in its security advisory, is a critical remote code execution vulnerability that exists in Microsoft’s Malware Protection Engine. The vulnerability, which affects Windows versions from 7 and beyond, leverages Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, and Windows Intune Endpoint Protection’s dependence on the Malware Protection Engine to exploit the vulnerability. The result of a successful use of the exploit is the following, according to Microsoft’s advisory:
An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights
To utilize CVE-2017-11937, an attacker must specially craft a malicious packet that will be scanned by default. For this to happen, the packet must be sent to a location that Windows security products scan automatically (such as email, hosting servers, and a website). Since the scan is automatic, the packet can execute its remote code before the system has any time to react, thus giving a hacker full access to the machine.
The good news here is that the patch for this critical Windows flaw was deployed rather swiftly. Even better, users may already have the updated version of the Windows OS that contains this patch. As Catalin Cimpanu of Bleeping Computer explains in his report on the exploit, the Microsoft Malware Protection Engine version 1.1.14405.2 update was automatically installed on machines that have their “self-update mechanism for this component” enabled. The only way that this update could have been blocked is “have opted to block MMPE updates by tweaking registry keys or via group policies.”
Photo credit: Flickr / Robert Scoble