Microsoft has suffered the embarrassment of finding a serious flaw in its Malware Protection Engine product, but thanks to British researcher Tavis Ormandy - who alerted Microsoft to the problem – the bug has been patched before it could be exploited.
Microsoft said in a 17 June advisory that it has fixed bug CVE-2014-2779. which could have allowed a denial of service attack if the MS Malware Protection Engine scans a specially crafted file.
An attacker could have exploited this vulnerability to prevent the engine from working until the rogue file was manually removed and the service restarted.
The Malware Protection Engine provides the scanning, detection, and cleaning capabilities for Microsoft's anti-virus and anti-spyware software. But the company said it “had not received any information to indicate that this vulnerability had been publicly used to attack customers”.
Microsoft group manager Dustin C Childs explained: “We appreciate the researcher reporting this to us privately and for allowing us to release the update before there was any impact to our global customers.”
The researcher in question is Tavis Ormandy, an information security engineer at Google, originally from England but now based in California.
Defender, which scans for spyware and other bugs, is one of the products shipped with the Malware Protection Engine.
Microsoft said the vulnerability could only be exploited when the engine is tripped up by a specially crafted file. But it explained: “There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user.
“An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.
“In addition, exploitation of the vulnerability could occur when the system is scanned using an affected version of the Malicious Software Removal Tool (MSRT).”
Microsoft said systems admins should not have to do anything to install the update because the engine's “built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time-frame depends on the software used, internet connection and infrastructure configuration.”
Commenting on the flaw, Steve Smith, MD of security consultancy Pentura, told SCMagazineUK.com via email: “It's not uncommon for bugs to be found in anti-virus and security software, as they tend to be very complex and are constantly being updated to address new threats. No software is perfect.
“What is important is that the vulnerability has been detected before any known exploit has been developed and that an automated update will be available within 48 hours. It does highlight the importance of keeping all security software up-to-date with the latest patches, to minimise exposure to new vulnerabilities.”
The full list of Microsoft security products affected is:
* MS Forefront Client Security
* Forefront Endpoint Protection 2010
* Forefront Security for SharePoint Service Pack 3
* MS System Center 2012 Endpoint Protection
* System Center 2012 Endpoint Protection Service Pack 1
* MS Malicious Software Removal Tool (May 2014 or earlier versions)
* MS Security Essentials
* Security Essentials Pre-release
* Windows Defender for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2
* Windows Defender for Windows RT and Windows RT 8.1
* Windows Defender for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
* Windows Defender Offline
* Windows Intune Endpoint Protection