Microsoft patched an easily exploitable but critical vulnerability in the Microsoft Malware Protection Engine (MMPE).
This out-of-band security update, the second in a week, released Tuesday. The other out-of-band update dealt with Meltdown mitigations as Microsoft decided to release updates for Windows 7 and Windows Server 2008 R2.
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” Microsoft said in an advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
“Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment,” Microsoft said in the advisory.
“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software.”
The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for a variety of Microsoft antivirus and antispyware software: Windows Defender, Microsoft Endpoint Protection, Microsoft Security Essentials, and so on.
CVE-2018-0986 was discovered by Thomas Dullien (aka “Halvar Flake”), a security researcher with Google Project Zero.
The source of the vulnerability is an older version of the open-source archiving utility unrar, which has been forked and modified by Microsoft and incorporated into the MMPE.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” Microsoft said, and added there are multiple ways such a file can be placed in a location that is scanned by the MMPE.