A remote code execution vulnerability in the Microsoft Malware Protection Engine (MPE) that could lead to memory corruption and if exploited allow attackers to seize control of the system after executing arbitrary code in the LocalSystem account, has been patched, according to an advisory issued by Microsoft.
The vulnerability impacts numerous Microsoft security offerings, including multiple versions of Microsoft Exchange, Forefront End Point Protector and Defender. Once in control of a system, an attacker would be able to install programs as well as change or delete data or create accounts that have full user rights.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” the advisory warned, noting there are multiple ways to put a “specially crafted file into a location” that the engine scans, including using a website, email or IM message to deliver the file. “In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
If real-time protection is turned on in the affected antimalware, the MPE automatically scans files, including specially crafted files, which gives attackers a way to exploit the vulnerability. Even without real-time scanning turned on the bug can be exploited when a scheduled scan occurs. “All systems running an affected version of antimalware software are primarily at risk,” Microsoft warned.
The emergency patch released by the company addresses corrects the way the MPE scans those specially crafted files.
“Because Microsoft maintains one of the most widely deployed operating systems, it is a primary target by bad actors,” said Michael Patterson, CEO of Plixer. “Although most consumers already have the necessary patch, this is no time to become overly confident in existing security defensive measures. Malware will make it into every organization connected to the Internet. This means all companies need to prepare for the inevitable breach.”