Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's 'Malware Protection Engine' Had A Remote Code Execution Flaw (theregister.co.uk)

Posted by EditorDavid on from the who-watches-the-Watchmen? dept.

Slashdot reader Trax3001BBS shares an article from The Register: Microsoft posted an out-of-band security update Thursday to address a remote code execution flaw in its Malware Protection Engine. Redmond says the flaw, dubbed CVE-2017-11937, has not yet been exploited in the wild. Because it is an out-of-band critical fix, however, it should be installed as soon as possible. For most users, this will happen automatically.

The security hole is present in Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016... According to Microsoft, the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats. In many systems this is set to happen automatically for all new files. By exploiting a memory corruption error in the malware scanning tool, the attack file would be able to execute code on the target machine with LocalSystem privileges.

54 comments

  1. I'm already secure against this by Anonymous Coward · · Score: 0

    I keep known-good copies of the software I use on a physical external drive and install from there.

    Common Sense AV 2018 and minimal software needs FTW.

    1. Re:I'm already secure against this by Anonymous Coward · · Score: 0

      (snickers) So your Windows is secure? (snickers)

    2. Re:I'm already secure against this by NicknameUnavailable · · Score: 1

      If you haven't caught on by now: Microsoft employs a form of rotating backdoor where a set of patches fix security holes but introduce new ones. It's a method to keep the backdoor secure against third parties while still allowing them access. It's technically "secure against this," unless you define "this" to mean "the backdoor" instead of "the specific implementation of the backdoor," in which case it is not and will likely never be.

    3. Re:I'm already secure against this by Anonymous Coward · · Score: 0

      Me too. I don't use and will never use Windows 10, which IS the malware.

    4. Re:I'm already secure against this by Anonymous Coward · · Score: 0

      Where did those "known-good copies" come from??

    5. Re:I'm already secure against this by Anonymous Coward · · Score: 0

      I think you'll find your 'rotating backdoor' is normal development practice, not something unique to Microsoft. The rest of your comment doesn't really make sense.

    6. Re: I'm already secure against this by Anonymous Coward · · Score: 0

      Automatic updates enable this. Before Windows Update we patched manually. And we were better for it.

    7. Re:I'm already secure against this by Anonymous Coward · · Score: 0

      Microsoft employs a form of rotating backdoor where a set of patches fix security holes but introduce new ones. It's a method to keep the backdoor secure against third parties while still allowing them access.

      I know this because Microsoft called me last night and made sure my security holes were fixed! But I thought it was funny how Microsoft sounded like Apu from The Simpsons.

    8. Re:I'm already secure against this by phantomfive · · Score: 1

      Apparently you use a browser. Your security has a huge hole.

      --
      "First they came for the slanderers and i said nothing."
  2. True enterprise grade by fubarrr · · Score: 1

    True enterprise grade bugs, now not only Apple's monopoly

    1. Re: True enterprise grade by Brockmire · · Score: 1

      Apple's bugs were not Enterprise grade, they were trivial. Stop trying to make Apple look better after another epic fail.

  3. I got a Mac instead of a Win10 laptop by Hal_Porter · · Score: 2

    Still, I've got to admit MS are doing a pretty decent job on security at the moment. This hole is already patched and the KRACK vulnerability was patched before it was made public

    https://www.bleepingcomputer.c...

    Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week's Patch Tuesday.

    While Windows users were dutifully installing October 10th's Patch Tuesday security updates, little did they know they were also installing a fix for the KRACK vulnerability that was not publicly disclosed until today. This fix was installed via a cumulative update that included over 25 other updates, but didn't provide any useful info until you visited the associated knowledge basic article.

    Even if you were bored enough to actually click on the More info button, you would have had to be REALLY bored to even spot a reference to a vague mention of a wireless security update in the last bullet item of the knowledge base article.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    1. Re:I got a Mac instead of a Win10 laptop by Zero__Kelvin · · Score: 2

      The KRACK vulnerability was fixed on every OS before it was made public. That was the whole prerequisite to it being made public. You might as well congratulate your girlfriend on waiting to get an STD until after she had sex.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re: I got a Mac instead of a Win10 laptop by c6gunner · · Score: 1

      I would have been more impressed if she got an STD before she has sex.

    3. Re:I got a Mac instead of a Win10 laptop by Hal_Porter · · Score: 1

      Google took didn't fix it until after it was made public. Neither did Apple. And if you have an Android device you need to wait for the vendor to release it.

      https://techcrunch.com/2017/10...

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    4. Re: I got a Mac instead of a Win10 laptop by Zero__Kelvin · · Score: 1

      Yeah ... that's the point.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    5. Re: I got a Mac instead of a Win10 laptop by Zero__Kelvin · · Score: 3, Informative

      You should be careful where you get your news. That article says Microsoft was "leading the pack" even though OpenBSD had the fix months earlier because Theodore the rat violated the agreement for all vendors to wait and fix it at the same time. Linux also already had a fix. Google and Apple both had fixes as well; they just hadn't rolled them out to every device yet. If you know anything about Android you know it is outside of Google's control, just as the Linux team can't force every distro to roll out a patch. Again, "Microsoft is leading the pack here" is a bald faced lie.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re: I got a Mac instead of a Win10 laptop by Brockmire · · Score: 1

      Wow, about Theo. I wonder if that puts future disclosures at risk of being left out of early notification. Did he slip it in or was it obvious and noted in changelogs?

  4. Too bad I disabled windows update by Anonymous Coward · · Score: 0

    because they fucking abused it to death. Guess I'll just have to completely disable windows defender now (currently on-demand only - as all AV should always be).

    I would consider patching it, if there were a standalone patch, but no patch from microsoft can be trusted anymore.

    Not that big a deal really, Clamwin and Malwarebytes do the job just fine (again on-demand only).

  5. Translation by slshdtisctrldbysjws · · Score: 2

    Remote Code Execution Flaw

    =

    Engineered Vulnerability

    The deck is stacked against us. Publicly traded companies and the federal government are the same entity. They are conspiring to throw us down into the deepest possible slavery and probably to kill/sterilize us once they have the machines to replace us.

    The possibility to resolve this problem without utter chaos lasting indefinitely is closing. Those of us who realize the threat need to band together NOW and bleed this system dry with sabotage and seek to rebuild our republic.

    --
    My karma was manually wiped by site staff https://slashdot.org/~slshdtisctrldbysjws 18 mod up, 10 mod down = bad karma
    1. Re:Translation by Anonymous Coward · · Score: 0

      Fuckin A. Preach it man.

      The best way I have found is to stop buying things, ditch the car, unload all the chains they put on you. A man who wants nothing cannot be bought.

    2. Re:Translation by chill · · Score: 1

      You joke, but The Four Nobel Truths of Buddhism are:

      1) All life is suffering
      2) Suffering is caused by desire
      3) Eliminate desire and you eliminate suffering
      4) Follow the Noble Eightfold Path to eliminate desire.

      --
      Learning HOW to think is more important than learning WHAT to think.
    3. Re:Translation by Anonymous Coward · · Score: 0

      Actually, I don't joke.

      No car, no credit card, no cellphone. All are strings used to play you like a puppet.

      Fuck the police! Corrupt fuckers taking over our democracies. Don't give them anything to manipulate you with, and call them out on their corruption publicly constantly. They cannot sue for defamation because they cannot prove they are not corrupt because they answer to no one. (at least the RCMP here in Canada, but I expect it is just as bad in many other places in the world.)

      And I am familiar with the tenets of Buddhism, but thanks for the reminder!

    4. Re:Translation by Zero__Kelvin · · Score: 2

      Great. Now if you would just take the final step and go "no computer" we would all appreciate it. Thanks.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    5. Re:Translation by Anonymous Coward · · Score: 0

      Found the pig.

      Oink Oink.

      Your days are numbered fuckers.

    6. Re: Translation by Anonymous Coward · · Score: 0

      He would be kind of funny if you could be sure he wasn't actually genuinely delusional.

    7. Re: Translation by Anonymous Coward · · Score: 0

      Everybody fucking knows it dipshit. It is just that very few have divested anything to lose and so can say it out loud as I do. You can spam all the propaganda you want, it will not make any difference. You are not fooling anyone.

      And stay the fuck away from my extended family or it is going to get really fucking dirty next time. Dirtier than your feeble mind can imagine.

    8. Re: Translation by Anonymous Coward · · Score: 0

      And by the way, you are going to regret that attack, because it shows exactly how corrupt you are. You forget the political power of the group you are dealing with. You may have killed some of us, but you will expose yourself before you kill all of us.

    9. Re: Translation by Anonymous Coward · · Score: 0

      We've already infiltrated your family. We're everywhere, hidden in plain sight. Long live Queen Elizardbeth.

    10. Re: Translation by Anonymous Coward · · Score: 0

      And I already posses the souls of your children, that's why they hate you.

    11. Re: Translation by Anonymous Coward · · Score: 0

      Yeah, because you're a real tough guy, right? I bet you know (or at least think you know) some "martial" arts and think that garbage holds up in real fight, like in those there moving pictures.

      You couldn't tear a wet Kleenex, what the fuck makes you think you could do anything to me, junior? I'll be around to kick the shit out of and rape anyone in your family and make you watch and suck my fat cock while I do it.

    12. Re: Translation by Anonymous Coward · · Score: 0

      Nothing to do with such base qualities as prowess in martial arts. This is a demonstration of how fucking feeble your mind is.

      You have no fucking idea how much you are hated. Keep gathering in groups in dress uniform for memorials. See what happens. Keep ignoring the International Red Cross. Keep ignoring the fact that everyone knows how corrupt you are, and the more people that are exploited and abused until they have nothing to lose, the more people you have willing to do anything to rid the world of your foul and disgusting presence.

      Your days are numbered pig. Enjoy it while you can, because it will all be over soon.

    13. Re: Translation by Anonymous Coward · · Score: 0

      Settle down Francis!

  6. RUSSIANS! by Anonymous Coward · · Score: 0

    Not since the Russians wrote the software. Kapersky helped Donald TRUMP to win the election.

  7. So? by Anonymous Coward · · Score: 0

    What anti-virus hasn't had a story about it having some flaw or another? What's the news element here?

  8. Mine (no bugs to date for 5++ yrs. now) by Anonymous Coward · · Score: 0

    See subject & https://it.slashdot.org/comments.pl?sid=11461611&cid=55711709/ "bugfree & bulletproof" SIMPLE design that does more for giving you more speed (other antivirus/antispyware SLOWS YOU DOWN), security, reliability & anonymity online than ANY other single "so-called 'security solution'" out there for FAR LESS resources consumed, natively.

    * That's one that hasn't had security issues in it (& it even protects hosts above & beyond Windows ACL based WFP/SFP + so much so, nothing I've tried MYSELF in usermode can "bust thru it"...)

    APK

    P.S.=>... & "there ya go" - you didn't have to look TOO far, just the post beneath yours... apk

    1. Re:Mine (no bugs to date for 5++ yrs. now) by Anonymous Coward · · Score: 0

      It's possible you are an ubercoder and have no security vulnerabilities.
      It's possible you're not aware of any because nobody actually uses your program to find them.

    2. Re: Mine (no bugs to date for 5++ yrs. now) by Brockmire · · Score: 1

      I know you have lists of domains to block, but how are you avoiding using any DNS lookups to actually speed things up? Do you have millions of entries in your hosts file? Between 4-7% of my daily DNS traffic is blocked for ads. All the good sites still need to be looked up by DNS. Which doesn't change the speed at all using your hosts shit. Stop lying about the benefits of your fucking hosts app. You're clueless with all the supposed advantages you falsely claim. It's just a fucking list aggregator, it's nothing special. If someone gave you a cookie and a pat on the back, would you fuck off?

  9. More people do than your non-existent work by Anonymous Coward · · Score: 0

    "I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised" - by mmell on Thursday February 16, 2017

    "I've never tried to belittle (APK's work), I've flat out said it's good" - by BronsCon on Thursday February 11, 2016

    "his hosts program is actually pretty good" - by xenotransplant on Monday August 10, 2015

    "his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources" by alexgieg on Friday September 25, 2015

    "I like your host file system." - by Karmashock on Wednesday September 09, 2015 (#50489401)

    "I do use APK's host file on all my systems at home" by OrangeTide on Friday December 01, 2017

    "I personally use a HOSTS file blocker produced from a genius called APK. Ever heard of him?" by 110010001000 on Friday October 27, 2017

    * Want more?

    APK

    P.S.=> I've got tons more than those... apk

  10. Yanno by nehumanuscrede · · Score: 1

    I refuse to even consider anything by APK, not because of who they are but, because of how often they spam their work on here.

    There is a point where advertising becomes counter-productive and I just start ignoring it or take steps to eradicate it.

  11. Fine/That's ok (your loss) but? by Anonymous Coward · · Score: 0

    The troll before you I replied to has a point & it hits on another thread & what I did to AVOID what he points out https://developers.slashdot.org/comments.pl?sid=11462899&cid=55712119/ - just because it HASN'T HAPPENED TO ME TO DATE?

    Doesn't mean something WON'T ever surface!

    (... & I've had to prove antivirus companies wrong on it no less when they falsely accused my ware of being malware (I was using ExePacking which they STUPIDLY FLAG as 'malware' & it works to not only protect a program but to make it load up from disk or across LANS faster))

    Maybe I've been lucky so far (the AV companies tore my work up LOOKING for issues, they found none - I'm a competitor, I don't blame them, lol - A BETTER COMPETITOR in fact - my work does MORE for far less resource consumption & way, Way, WAY LESS BUGS) but I think not - see link above.

    I've never EVER said I was "uber coder" either (only that I can & DO get the job done, right) either - there IS no such man (only harder more dedicated workers who know the process & data they work on TOTALLY) just as there is no best as it's all purely arbitrary opinion in many things (vs. fact - @ least with programs you CAN compare on facts/abilities/performance etc. though).

    APK

    P.S.=> LASTLY - /. "advertises" all DAY on "OpenSORES" this, Linux that, Google this etc. so "give me a break" hypocrite... apk

  12. Microsoft Security Flaw? by hduff · · Score: 1

    https://i.imgur.com/he21BvU.jp...

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Microsoft Security Flaw? by Anonymous Coward · · Score: 0

      Actually that's exactly what it means, little boy. One day, when you grow up, if you stick with it and study computers and technology really hard, you might understand a tiny fraction of what I do, kiddo.

  13. Again! by Chris+Mattern · · Score: 1

    "Out of band" does not mean "unscheduled", you dozy twats!

  14. No such issue here blocking threat sources by Anonymous Coward · · Score: 0

    See subject & NEW APK Hosts File Engine 10++ 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

    Ads/script/malware rob speed/security/privacy/bandwidth.

    Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

    Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster via local RAM!

    * Via what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).

    APK

    P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self checking vs. infection of it built-in)

  15. Quit using kernelspace for the sandbox by Anonymous Coward · · Score: 0

    Seriously, why is the sandbox running in kernel mode? Still?

    https://twitter.com/taviso/status/938843995500720128

    We are so lucky he hasn't taken a bath yet this month...
    Can't guarantee when the next shower will be though. Making exploits rain...

  16. Dont feel bad Microsoft by Anonymous Coward · · Score: 0

    This morning I got up, grabbed my coffee, was heading out the door to have a great day, but my redwood tree has low hangin branches, and as I opened the door to my Toyota Highlander I ducked the branch and BAMN hit on the pointy top corner.

    That kind of pain can drop you to your knees, I sucked it up, ran back in to the bathroom, looked in the mirror, and big red bump sticking out, thank god NO BLOOD. So this second nose is coming out of my forehead now, I go from pain to ANGER, and grab the hand clippers (To go attack a 3" + diamater branch) to go cut that bastard down, clip clip clip, lookin good, clip clip crunch, OW! now my thumb has a BLOOD blister (about where the safety on your 1911 touches the thumb) oh my god...

    So it's a week later and finally I can turn the safety on and off with one hand again
    The moral of the story is Microsoft sucks, and then you'll suck more and spurt blood out AND it takes weeks to heal from it just like it takes weeks to load up a new Linux after abandoning the upgrade 10 death loop.
    i SEE Skilsaws and nailguns for the future. Maybe I can file the corner of the Highlander to a knife sharpness, and just put the eye out next time, maybe you'll cut your hand getting a ride AS you jump in. here's a bandaid (I always carry a 1st aid kit)

  17. wat by Anonymous Coward · · Score: 0

    cool story bro

  18. YOU provide the lists yourself... apk by Anonymous Coward · · Score: 0

    See subject: For where you spend most time online for more speed, reliability & security, add its list of your fav. sites & it resolves them for you in its "Speedup Favorite Sites" tab!

    * It yields the following benefits:

    1.) Avoid remote DNS lookup & resolves faster locally from system RAM (speed)
    2.) Avoid DNS tracking (security)
    3.) Avoid DNS down (reliability)
    4.) Avoid DNS redirect poisonings (security) ... & it lightens DNS load (bonus for admins of them).

    (All placed @ TOP of hosts for fastest resolution - your router, or your browser histories can assist here above & beyond your immediate memory of where you go most).

    APK

    P.S.=> Done via its TOOLS menu, Directly edit your favorite sites (SITES.TXT) submenu (or manually edit that .txt in the program folder). There are examples in there already (mostly /. domain & subdomains in there now) that it will reverse DNS verify to do so... apk

  19. Addendum to how SITES.TXT works... apk by Anonymous Coward · · Score: 0

    See subject: What I explained works a GOOD 96++% of the time vs. slower exploitable remote DNS https://it.slashdot.org/comments.pl?sid=11461611&cid=55716809/ for myself & it should for you too - you can add AS MANY AS YOU LIKE to make it potentially moreso (operates @ speed of system RAM, far faster vs. remote DNS & a hell of a lot more securely + reliably).

    Apparently, you don't understand how TCP/IP name resolution works - now, you do.

    * NOW - As to the rest of your BULLSHIT?

    The day YOU CAN DO BETTER YOURSELF, writing it up as a GUI multithreaded & multitasking single .exe file (that even protects itself vs. infection) is the day you have the RIGHT to talk to me that way BOY!

    (You never can OR will - that much I am assured of & can assure ANYONE HERE that is the case in YOUR case...)

    APK

    P.S.=> My program works + Malwarebytes both HOSTS & RECOMMENDS it & dozens of /.ers like & use my work in it... apk

  20. strange name. by Anonymous Coward · · Score: 0

    Malware Protection Engine = engine that protects malware?

  21. RoTfLmAo... apk by Anonymous Coward · · Score: 0

    See subject & you had me laughing my ass off @ that one (funnier than hell) - nothing against "the truly free man has no possessions" dude though either (he has a point TO AN EXTENT of course from my 'pov') - but after what he said & you unloading w/ that one?

    * RoTfLmAo!

    APK

    P.S.=> Thank-You - it honestly started my day the RIGHT way that little exchange you guys had (the later parts were funny in some ways too - the "you couldn't tear a wet Kleenex" stuff was pretty righteous laughter for me too! In the end though? I hope nobody's TRULY enraged though - look @ the bright side BOTH of you - you both had me LAUGHIN' MY ASS OFF)... apk