Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1151
4022344 - Security Update for Microsoft Malware Protection Engine
9 May 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Malware Protection Engine
Publisher: Microsoft
Operating System: Windows 7
Windows 8.1
Windows RT 8.1
Windows 10
Windows Server 2016
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-0290
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/4022344
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory 4022344
Security Update for Microsoft Malware Protection Engine
Published: May 8, 2017
Executive Summary
Microsoft is releasing this security advisory to inform customers that an
update to the Microsoft Malware Protection Engine addresses a security
vulnerability that was reported to Microsoft.
The update addresses a vulnerability that could allow remote code execution if
the Microsoft Malware Protection Engine scans a specially crafted file. An
attacker who successfully exploited this vulnerability could execute arbitrary
code in the security context of the LocalSystem account and take control of
the system.
The Microsoft Malware Protection Engine ships with several Microsoft
antimalware products. See the Affected Software section for a list of affected
products. Updates to the Microsoft Malware Protection Engine are installed
along with the updated malware definitions for the affected products.
Administrators of enterprise installations should follow their established
internal processes to ensure that the definition and engine updates are
approved in their update management software, and that clients consume the
updates accordingly.
Typically, no action is required of enterprise administrators or end users to
install updates for the Microsoft Malware Protection Engine, because the
built-in mechanism for the automatic detection and deployment of updates will
apply the update within 48 hours of release. The exact time frame depends on
the software used, Internet connection, and infrastructure configuration.
Advisory Details
Issue References
For more information about this issue, see the following references:
References Identification
Last version of the Microsoft Malware Protection Engine affected by this vulnerability Version 1.1.13701.0
First version of the Microsoft Malware Protection Engine with this vulnerability addressed Version 1.1.13704.0
*If your version of the Microsoft Malware Protection Engine is equal to or
greater than this version, then you are not affected by this vulnerability and
do not need to take any further action. For more information on how to verify
the engine version number that your software is currently using, see the
section, "Verifying Update Installation", in Microsoft Knowledge Base Article
2510781.
Affected Software
The following software versions or editions are affected. Versions or editions
that are not listed are either past their support life cycle or are not
affected. To determine the support life cycle for your software version or
edition, see Microsoft Support Lifecycle.
Antimalware Software Microsoft Malware Protection Engine Remote Code
Execution Vulnerability- CVE-2017-0290
Microsoft Forefront Endpoint Protection 2010 Critical
Remote Code Execution
Microsoft Endpoint Protection Critical
Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3 Critical
Remote Code Execution
Microsoft System Center Endpoint Protection Critical
Remote Code Execution
Microsoft Security Essentials Critical
Remote Code Execution
Windows Defender for Windows 7 Critical
Remote Code Execution
Windows Defender for Windows 8.1 Critical
Remote Code Execution
Windows Defender for Windows RT 8.1 Critical
Remote Code Execution
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703 Critical
Remote Code Execution
Windows Intune Endpoint Protection Critical
Remote Code Execution
Exploitability Index
The following table provides an exploitability assessment of each of the
vulnerabilities addressed this month. The vulnerabilities are listed in order
of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating
of Critical or Important in the bulletins are included.
How do I use this table?
Use this table to learn about the likelihood of code execution and denial of
service exploits within 30 days of security bulletin release, for each of the
security updates that you may need to install. Review each of the assessments
below, in accordance with your specific configuration, to prioritize your
deployment of this month's updates. For more information about what these
ratings mean, and how they are determined, please see Microsoft Exploitability
Index.
In the columns below, "Latest Software Release" refers to the subject
software, and "Older Software Releases" refers to all older, supported
releases of the subject software, as listed in the "Affected Software" and
"Non-Affected Software" tables in the bulletin.
CVEID Vulnerability Title Exploitability Assessment for Exploitability Assessment for Denial of Service
Latest Software Release Older Software Release Exploitability Assessment
CVE-2017-0290 Scripting Engine 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable
Memory Corruption
Vulnerability
Advisory FAQ
Is Microsoft releasing a Security Bulletin to address this vulnerability?
No. Microsoft is releasing this informational security advisory to inform
customers that an update to the Microsoft Malware Protection Engine addresses
a security vulnerability that was reported to Microsoft.
Typically, no action is required of enterprise administrators or end users to
install this update.
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently
updates malware definitions and the Microsoft Malware Protection Engine. In
order to be effective in helping protect against new and prevalent threats,
antimalware software must be kept up to date with these updates in a timely
manner.
For enterprise deployments as well as end users, the default configuration in
Microsoft antimalware software helps ensure that malware definitions and the
Microsoft Malware Protection Engine are kept up to date automatically. Product
documentation also recommends that products are configured for automatic
updating.
Best practices recommend that customers regularly verify whether software
distribution, such as the automatic deployment of Microsoft Malware Protection
Engine updates and malware definitions, is working as expected in their
environment.
How often are the Microsoft Malware Protection Engine and malware definitions
updated?
Microsoft typically releases an update for the Microsoft Malware Protection
Engine once a month or as needed to protect against new threats. Microsoft
also typically updates the malware definitions three times daily and can
increase the frequency when needed.
Depending on which Microsoft antimalware software is used and how it is
configured, the software may search for engine and definition updates every
day when connected to the Internet, up to multiple times daily. Customers can
also choose to manually check for updates at any time.
How can I install the update?
Refer to the section, Suggested Actions, for details on how to install this
update.
What is the Microsoft Malware Protection Engine?
The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning,
detection, and cleaning capabilities for Microsoft antivirus and antispyware
software.
Does this update contain any additional security-related changes to
functionality?
Yes. In addition to the changes that are listed for this vulnerability, this
update includes defense-in-depth updates to help improve security-related
features.
Where can I find more information about Microsoft antimalware technology?
For more information, visit the Microsoft Malware Protection Center website.
Microsoft Malware Protection Engine Remote Code Execution Vulnerability -
CVE-2017-0290
A remote code execution vulnerability exists when the Microsoft Malware
Protection Engine does not properly scan a specially crafted file leading to
memory corruption.
An attacker who successfully exploited this vulnerability could execute
arbitrary code in the security context of the LocalSystem account and take
control of the system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.
To exploit this vulnerability, a specially crafted file must be scanned by an
affected version of the Microsoft Malware Protection Engine. There are many
ways that an attacker could place a specially crafted file in a location that
is scanned by the Microsoft Malware Protection Engine. For example, an
attacker could use a website to deliver a specially crafted file to the
victim's system that is scanned when the website is viewed by the user. An
attacker could also deliver a specially crafted file via an email message or
in an Instant Messenger message that is scanned when the file is opened. In
addition, an attacker could take advantage of websites that accept or host
user-provided content, to upload a specially crafted file to a shared location
that is scanned by the Malware Protection Engine running on the hosting
server.
If the affected antimalware software has real-time protection turned on, the
Microsoft Malware Protection Engine will scan files automatically, leading to
exploitation of the vulnerability when the specially crafted file scanned. If
real-time scanning is not enabled, the attacker would need to wait until a
scheduled scan occurs in order for the vulnerability to be exploited. All
systems running an affected version of antimalware software are primarily at
risk.
The update addresses the vulnerability by correcting the manner in which the
Microsoft Malware Protection Engine scans specially crafted files.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure.
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers when this security advisory was
originally issued.
Suggested Actions
Verify that the update is installed
Customers should verify that the latest version of the Microsoft Malware
Protection Engine and definition updates are being actively downloaded and
installed for their Microsoft antimalware products.
For more information on how to verify the version number for the Microsoft
Malware Protection Engine that your software is currently using, see the
section, "Verifying Update Installation", in Microsoft Knowledge Base Article
2510781.
For affected software, verify that the Microsoft Malware Protection Engine
version is 1.1.10701.0 or later.
If necessary, install the update
Administrators of enterprise antimalware deployments should ensure that
their update management software is configured to automatically approve and
distribute engine updates and new malware definitions. Enterprise
administrators should also verify that the latest version of the Microsoft
Malware Protection Engine and definition updates are being actively
downloaded, approved and deployed in their environment.
For end-users, the affected software provides built-in mechanisms for the
automatic detection and deployment of this update. For these customers, the
update will be applied within 48 hours of its availability. The exact time
frame depends on the software used, Internet connection, and infrastructure
configuration. End users that do not wish to wait can manually update their
antimalware software.
For more information on how to manually update the Microsoft Malware
Protection Engine and malware definitions, refer to Microsoft Knowledge Base
Article 2510781.
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides
vulnerability information to major security software providers in advance of
each monthly security update release. Security software providers can then use
this vulnerability information to provide updated protections to customers via
their security software or devices, such as antivirus, network-based intrusion
detection systems, or host-based intrusion prevention systems. To determine
whether active protections are available from security software providers,
please visit the active protections websites provided by program partners,
listed in Microsoft Active Protections Program (MAPP) Partners.
Feedback
You can provide feedback by completing the Microsoft Help and Support
form, Customer Service Contact Us.
Support
Customers in the United States and Canada can receive technical support
from Security Support. For more information, see Microsoft Help and Support.
International customers can receive support from their local Microsoft
subsidiaries. For more information, see International Support.
Microsoft TechNet Security provides additional information about security
in Microsoft products.
Disclaimer
The information provided in this advisory is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
Revisions
V1.0 (May 8, 2017): Advisory publish
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWRErkYx+lLeg9Ub1AQiD6Q/+L9HMqltKm9DHG8ISwfnvIHPr8xBQkuFw
eDw3kwMB/JOhYtZHbo2cc8KgGReJ24UgVbMi7bg8btCkQS4GYsCawxY8wrVJkk/R
VhojRh2MOpjPfTzdwVmR2ke+hs5MdMzMHJFBRdVT22KVGzHbI9q2L64q5+czdMEL
S7l/uHv+fv2dY9QLEy1DPu5ozZhVVJY9s8vMOMyziiVlg2H3lRQTP67QYQHo2DrZ
0G9sEDszWzy+TTJru/hIgatRnOpdcaBKvsuPliYx7uB+aY4gTJpmSYrB3PqxNzRS
LNJEIh11MzOAs1/r2tsdd4aH2bTYzk1ydGsmNJHkzSz3s7FMs/GFpDjr+a6xntUq
o3jPjXODzcZy5Bqj2AKwryPTdQQrgACdQF2A3kJ+5sWW83h2mVVKjR1w70IMwEpy
w3JF7bamwKJt1Pbz1SZYXu7Oc4grulrTABZfvx9/h03uc88YfsSwAV/Ng14Y91C5
kmvkIzX6W5TJPlT0B28v01PvXjwE4LNaaBUowRf12q4bI4FfkdSS3dWO1ZqRnYwo
YV1gSKYBT3NGVxtzTggQJu7h/LAnx6m3Z0ph+YgZbUhroTk5/xmU+dB/GZDJyvFE
kH4yRxM2zq3RUoTEQoNSy1hdTU0Z3NuX5oPVLNteDFyJrRrraI0uLQpz9ofW9RKA
m+H4p2qyoOE=
=pD6f
-----END PGP SIGNATURE-----