Microsoft issues patch for critical Windows flaw

Microsoft scrambled to patch a critical Windows flaw following a British intelligence organization discovering and disclosing the exploit to the company. The flaw in question, CVE-2017-11937, was uncovered by the UK’s National Cyber Security Centre (NCSC), which is a part of the Government Communications Headquarters (GCHQ) intelligence agency.

CVE-2017-11937, as Microsoft wrote in its security advisory, is a critical remote code execution vulnerability that exists in Microsoft’s Malware Protection Engine. The vulnerability, which affects Windows versions from 7 and beyond, leverages Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, and Windows Intune Endpoint Protection’s dependence on the Malware Protection Engine to exploit the vulnerability. The result of a successful use of the exploit is the following, according to Microsoft’s advisory:

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

To utilize CVE-2017-11937, an attacker must specially craft a malicious packet that will be scanned by default. For this to happen, the packet must be sent to a location that Windows security products scan automatically (such as email, hosting servers, and a website). Since the scan is automatic, the packet can execute its remote code before the system has any time to react, thus giving a hacker full access to the machine.

The good news here is that the patch for this critical Windows flaw was deployed rather swiftly. Even better, users may already have the updated version of the Windows OS that contains this patch. As Catalin Cimpanu of Bleeping Computer explains in his report on the exploit, the Microsoft Malware Protection Engine version 1.1.14405.2 update was automatically installed on machines that have their “self-update mechanism for this component” enabled. The only way that this update could have been blocked is “have opted to block MMPE updates by tweaking registry keys or via group policies.”

Photo credit: Flickr / Robert Scoble

About The Author

2 thoughts on “Microsoft issues patch for critical Windows flaw”

  1. The program uses Powershell, by default Powershell is has the execution policy “restricted”, this ransomware by-pass this policy?
    It would be possible to stop this attack by creating a “Spider” folder inside %appdata% with readonly permissions, so the program wouldn’t have access to download the payload and execute?

    1. Derek Kortepeter

      Hey I appreciate the question. As a general rule, I don’t ever advise someone to try and perform a workaround for malware when there are already official solutions (i.e. the ones outlined in the article).

      Your question DID however intrigue me. I asked some individuals who are far more experienced in the nuances of Powershell than I, and they all responded with uniformity that your proposed solution would create issues with all applications on your machine.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top