Microsoft Issues Emergency Out-Of-Band Update to Fix “Crazy Bad” Vulnerability

By 

Patched Microsoft Malware Protection Engine

In an emergency out-of-band update released late last night, Microsoft fixed a vulnerability in the Microsoft Malware Protection Engine discovered by two Google security experts over the weekend, and which the two described as “crazy bad” and “the worst Windows remote code exec in recent memory.”

While initially the two Google experts didn’t reveal what Windows feature the bug was found in, the veil of mystery lifted yesterday when both Microsoft and the two experts shared more details about the issue.

Vulnerability affects Microsoft Malware Protection Engine

As per the two sources, the bug affects the Microsoft Malware Protection Engine (MsMpEng), a core service that ships with Windows 7, Windows 8.1, Windows 10, and Windows Server 2016, and which is the core of many of Microsoft security tools, such as:

  • Windows Defender
  • Microsoft Security Essentials
  • Microsoft Endpoint Protection
  • Microsoft System Center Endpoint Protection
  • Windows Intune Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft Forefront Endpoint Protection 2010

According to the Google experts, the bug is a “type confusion” vulnerability in NScript, the MsMpEng component that handles “any filesystem or network activity that looks like JavaScript.”

The two experts say that NScript mishandles how it interprets some JavaScript object types, which allows them to deliver an exploit that can use the Microsoft Malware Protection Engine to execute malicious code.

Vulnerability is trivially exploitable

The researchers say the issue can be exploited with no user interaction needed.

This includes scenarios such as sending an email with the exploit included in the message’s body, hosting malicious JavaScript code inside a web page, or by delivering a JS exploit to thousands or millions on users, via ads on reputable sites.

“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, one of the Google researchers says.

This is because the service runs without sandboxing — a basic and very efficient security feature —, but also because the service runs as
NT AUTHORITY\SYSTEM, a system-level user with no limitations.

Furthermore, the service is included by default on all recent Windows operating system, exposing hundreds of millions of PCs to remote hacking.

Microsoft patches issue within days

Unlike past incidents, where Microsoft has allowed exploited zero-day vulnerabilities to fester in the wild without being bothered to deliver a patch for months, this time around, the company moved lightning fast to address the issue.

In just a few days, the company had prepared and already shipped a patch to fix the vulnerable MsMpEng service.

According to a Microsoft advisory, the first version of the Microsoft Malware Protection Engine affected by this flaw is v1.1.13701.0. The issue has been patched in v1.1.13704.0, released a few hours ago, and which has already reached some users (screenshot above).

Microsoft also said that on latest Windows platforms, the risk of exploitation should be lower if the user has turned on Windows CFG (Control Flow Guard), a security feature that can make exploitation of memory-based vulnerabilities much harder.

The vulnerability is tracked as CVE-2017-0290. The two Google researchers also released proof-of-concept exploit code. The entire exploit fits in a tweet. To help spread the word about this issue, US-CERT has also released an accompanying alert.

World reels from massive cyberattack that hit nearly 100 countries

by Jethro Mullen, Samuel Burke and Selena Larson @CNNMoney

Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever.
Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom.
Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history.
Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault.
Security experts said the spread of the ransomware had been stopped late Friday. But it remained unclear how many organizations had already lost control of their data to the malicious software — and researchers warned that copycat attacks could follow.
Europol said Saturday that the attack was of an “unprecedented level and requires international investigation.” And the U.K. government called an emergency meeting over the crisis.
U.S. Treasury Secretary Steven Mnuchin, at a meeting of world leaders in Italy, said the attack was a reminder of the importance of cybersecurity. “It’s a big priority of mine that we protect the financial infrastructure,” he said.
The ransomware, called WannaCry, locks down all the files on an infected computer and asks the computer’s administrator to pay in order to regain control of them. The exploit was leaked last month as part of a trove of NSA spy tools.
The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn’t updated their systems were still at risk.
In the wake of the attack, Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems including Windows XP, Windows 8 and Windows Server 2003.
But the patches won’t do any good for machines that have already been hit.
“Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”
Related: 5 things to know about the attack
Experts told CNNTech that an unidentified cyber security researcher accidentally stopped the spread of WannaCry by registering a domain name contained in the ransomware’s code.
The researcher, who uses the Twitter handle @malwaretechblog, told CNNTech they registered the domain name in order to study the virus, but it turned out the ransomware needed it to remain unregistered to keep spreading.
However, a hacker could change the code to remove the domain name and try the ransomware attack again.
And WannaCry has already caused massive disruption around the globe.
Sixteen National Health Service organizations in the UK were hit, and some of those hospitals canceled outpatient appointments and told people to avoid emergency departments if possible. The NHS said in a statement on Saturday that there was no evidence that patient information had been compromised.
In China, the internet security company Qihoo360 issued a “red alert” saying that a large number of colleges and students in the country had been affected by the ransomware, which is also referred to as WannaCrypt. State media reported that digital payment systems at PetroChina gas stations were offline, forcing customers to pay cash.
Related: NSA’s powerful Windows hacking tools leaked online
“Global internet security has reached a moment of emergency,” Qihoo360 warned.
Major global companies said they also came under attack.
Fedex said Friday it was “experiencing interference with some of our Windows-based systems caused by malware” and was trying to fix the problems as quickly as possible. Two big telecom companies, Telefónica (TEF) of Spain and Megafon of Russia, were also hit.
“This is turning into the biggest cybersecurity incident I’ve ever seen,” U.K.-based security architect Kevin Beaumont said.
How a ransomware attack can affect emergency services


Russia’s Interior Ministry released a statement Friday acknowledging a ransomware attack on its computers, adding that less than 1% of computers were affected, and that the virus was now “localized” and being destroyed.
The U.S. Department of Homeland Security, in a statement late Friday, encouraged people to update their operating systems. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally,” the department said.
Related: How leaked NSA spy tools created a hacking free-for-all
According to Matthew Hickey, founder of the security firm Hacker House, the attack is not surprising, and it shows many organizations do not apply updates in a timely fashion.
When CNNTech first reported the Microsoft vulnerabilities leaked in April, Hickey said they were the “most damaging” he’d seen in several years, and warned that businesses would be most at risk.
Consumers who have up-to-date software are protected from this ransomware. Here’s how to turn automatic updates on.
It’s not the first time hackers have used the leaked NSA tools to infect computers. Soon after the leak, hackers infected thousands of vulnerable machines with a backdoor called DOUBLEPULSAR.
— Donna Borak, Samuel Burke, Mariano Castillo, Jessica King, Yuli Yang, Steven Jiang, Clare Sebastian and Livvy Doherty contributed to this report.
CNNMoney (Hong Kong)
First published May 13, 2017: 9:57 AM ET

Font Resize