Summary
Microsoft released an emergency patch for a now identified 0-day vulnerability (CVE-2017-0290) discovered over the weekend by Google Project-Zero.  This vulnerability affects the Microsoft Malware Protection Engine (MsMpEng).  According to the Microsoft advisory, “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.”  The versions affected by this vulnerability are:

  • Latest: Version 1.1.13701.0
  • Earliest: Version 1.1.13704.0

Any version of the Engine that is greater than this is not affected by the vulnerability.

Microsoft Malware Protection Engine is included in the following Microsoft Products:

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender for Windows 7
  • Windows Defender for Windows 8.1
  • Windows Defender for Windows RT 8.1
  • Window Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
  • Windows Intune Endpoint Protection

If your organization runs any of the above, this advisory applies to you.

This vulnerability is exploited when MS Malware Protection Engine scans a “specially crafted” malicious file targeted to this vulnerability. The malicious file then corrupts memory.  Exploitation occurs through an attacker successfully dropping the malicious file into a folder or system that is scanned by this engine.  This could be done through spear-phishing, posting it to a website that accepts user generated content, or dropping it into a shared location.

Impact Assessment
Exploitation of this vulnerability allows Remote Code Execution and thereby could provide remote access to malicious actors.   Thus resulting in a breach of the network.

Mitigation Recommendations
Microsoft released a patch this morning and are auto-updating the software within 48 hours.  There should be no patching action necessary by network or security administrators to update the Microsoft Malware Protection Engine.

However, administrators should take the following the action:

  • Pay close attention to network behaviors associated with the Engine up until your particular version is updated
  • Confirm the latest version your security employs
  • Confirm that the update did indeed occur within 48 hours
  • If it does not auto-update, manually install the update. Microsoft instructions

Security On-Demand (SOD) Action Taken
In addition to SOD’s Threat Reconnaissance Unit paying close attention to activities surrounding this vulnerability, in particular externally monitoring for any indication of an active exploit being released, SOD’s SecOps Team is actively monitoring for signatures and updates for security sensors to ensure exploitation attempts are being alerted.  Beyond this, SecOps is fully aware of the threat and are hunting for any indication of exploitation attempts against our customers.

Feedback: We welcome and request feedback and questions on this Alert, please email SOD SOC at notice@securityondemand.com or call Steven Bay, Director Threat Reconnaissance Unit at 858-408-1422

Sources:

Microsoft Technet

Dark Reading

SOD TRU Internal Research

 Tags: Microsoft – Vulnerability – MsMpEng – ZeroDay – Critical

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search