Earlier this week Google released an update for the Chrome web browser that it urged users to ensure was implemented immediately. That was because the Threat Analysis Group at Google had uncovered a critical zero-day vulnerability that was already being exploited in the wild. Now a Google security engineer, Clement Lecigne, has warned that another zero-day vulnerability that is also being exploited, impacting Windows 7 users, was being used together with the Chrome exploit to take over Windows systems. Google is now urging all Windows 7 users to upgrade to Windows 10, as well as make sure their Chrome browser is up to date, to escape the attention of the combined threat.
The Windows zero-day is a local privilege escalation in the win32k.sys kernel driver that allows it to escape the security sandbox. The vulnerability can be used to elevate system privileges by an attacker who might then be able to execute remote malicious code. “The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances” Clement Lecigne said, adding “we strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.”
The Google Threat Analysis Group disclosed the zero-day to Microsoft who have said they are working on a fix but, as of yet, there is no indication of how long this might take. Currently, the status of this vulnerability has to remain as a critical and unpatched one. For this reason, Google is advising users of Windows 7 should upgrade to Windows 10 and apply patches from Microsoft as soon as they become available. “Not all vulnerabilities are created equal, and many, if considered on their own, are not cause for undue concern,” says Jim O’Gorman, president of Offensive Security, who continues “if they were flagged by the organization’s security solution, they likely would not have been prioritized in patching. It’s when a group of seemingly minor flaws are chained together that they can be used to devastating effect.”
In an emergency out-of-band update released late last night, Microsoft fixed a vulnerability in the Microsoft Malware Protection Engine discovered by two Google security experts over the weekend, and which the two described as “crazy bad” and “the worst Windows remote code exec in recent memory.”
While initially the two Google experts didn’t reveal what Windows feature the bug was found in, the veil of mystery lifted yesterday when both Microsoft and the two experts shared more details about the issue.
Vulnerability affects Microsoft Malware Protection Engine
As per the two sources, the bug affects the Microsoft Malware Protection Engine (MsMpEng), a core service that ships with Windows 7, Windows 8.1, Windows 10, and Windows Server 2016, and which is the core of many of Microsoft security tools, such as:
Microsoft Security Essentials
Microsoft Endpoint Protection
Microsoft System Center Endpoint Protection
Windows Intune Endpoint Protection
Microsoft Forefront Security for SharePoint Service Pack 3
Microsoft Forefront Endpoint Protection 2010
Vulnerability is trivially exploitable
The researchers say the issue can be exploited with no user interaction needed.
“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, one of the Google researchers says.
This is because the service runs without sandboxing — a basic and very efficient security feature —, but also because the service runs as NT AUTHORITY\SYSTEM, a system-level user with no limitations.
Furthermore, the service is included by default on all recent Windows operating system, exposing hundreds of millions of PCs to remote hacking.
Microsoft patches issue within days
Unlike past incidents, where Microsoft has allowed exploited zero-day vulnerabilities to fester in the wild without being bothered to deliver a patch for months, this time around, the company moved lightning fast to address the issue.
In just a few days, the company had prepared and already shipped a patch to fix the vulnerable MsMpEng service.
According to a Microsoft advisory, the first version of the Microsoft Malware Protection Engine affected by this flaw is v1.1.13701.0. The issue has been patched in v1.1.13704.0, released a few hours ago, and which has already reached some users (screenshot above).
Microsoft also said that on latest Windows platforms, the risk of exploitation should be lower if the user has turned on Windows CFG (Control Flow Guard), a security feature that can make exploitation of memory-based vulnerabilities much harder.
The vulnerability is tracked as CVE-2017-0290. The two Google researchers also released proof-of-concept exploit code. The entire exploit fits in a tweet. To help spread the word about this issue, US-CERT has also released an accompanying alert.