It’s like Pepsi declaring that Coke won a taste test: Google Project Zero security researchers discovered a security hole in Microsoft’s Malware Protection Engine, and two days later the Microsoft Security Response Center not only fixed the bug but also rolled out the update through the usual Windows Defender update mechanism.
The bug in the main Windows Defender program was described in Security Advisory 4022344. Chances are good your Windows computer got the fix last night.
Google Project Zero security researchers Tavis Ormandy and Natalie Silvanovich are credited with discovering the vulnerability. Ormandy tweeted that the security hole was “the worst Windows remote code exec in recent memory… crazy bad.”
After Microsoft’s quick action on the bug, Ormandy—ordinarily one of Microsoft’s biggest critics—was swift to respond. “What an amazing response, thanks so much Simon and MSRC! That was incredible work.”
The praise seems quite justified. The “wormable” hole has been plugged, and everything is now right with Microsoft Endpoint Protection, Forefront Security, Security Essentials, Intune Endpoint Protection, and all versions of Windows Defender, from Windows 7 to 8.1 to RT to Windows 10 versions 1507, 1511, 1607, and 1703.
In short, it was a stunning response to a bad bug (and one more reason why you should not turn off wuauserv, the Windows Update service).
The easiest way to make sure you got the fix is to check the version number for MsMpEng.exe, the Microsoft Malware Protection Engine. You’re looking for engine version 1.1.13704.0 or higher (1.1.13701.0 has the security hole). Here’s how to hunt down the version:
- In Windows 7, click Start > Run, type Windows Defender, and press Enter. Click the down arrow at the top on the right and choose About Windows Defender. To manually update the engine, click the down arrow, then Check for updates.
- In Windows 8.1, click Start and in the search box type Windows Defender. Then follow the instructions for Windows 7.
- In Windows 10, type Windows Defender in the Cortana search box and press Enter. In the upper-right corner, click Settings. Scroll down to the bottom and your Engine version appears under Version info. If you don’t have 1.1.13704.0, go into Windows Update (Start > Settings > Update & security), then click Check for updates. The new Windows Defender update (126.96.36.199 on my 1607 PC) should appear. Wait and make sure Windows installs it.
For technical details about the security hole, read Ormandy and Silvanovich’s article on the Project Zero blog. The problem boils down to a failure of one function in a privileged kernel program to validate the argument being passed to it. As a result, a bad guy can rig nearly anything to trigger remote execution. The flaw digs into Windows using the component of MsMpEng called mpengine:
Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.
Has anybody examined what Microsoft’s “fix” of the Defender vulnerability is? Did they just resolve the type confusion?
Discussion continues on the AskWoody Lounge.