-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
CVE-2017-8558 | Microsoft Malware Protection Engine Remote
Code Execution Vulnerability
26 June 2017
AusCERT Security Bulletin Summary
Product: Microsoft Malware Protection Engine
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
CVE Names: CVE-2017-8558
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Malware Protection Engine Remote Code Execution Vulnerability
A remote code execution vulnerability exists when the Microsoft Malware
Protection Engine does not properly scan a specially crafted file, leading to
memory corruption. An attacker who successfully exploited this vulnerability
could execute arbitrary code in the security context of the LocalSystem
account and take control of the system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full user
To exploit this vulnerability, a specially crafted file must be scanned by an
affected version of the Microsoft Malware Protection Engine. There are many
ways that an attacker could place a specially crafted file in a location that
is scanned by the Microsoft Malware Protection Engine. For example, an
attacker could use a website to deliver a specially crafted file to the
victim's system that is scanned when the website is viewed by the user. An
attacker could also deliver a specially crafted file via an email message or
in an Instant Messenger message that is scanned when the file is opened. In
addition, an attacker could take advantage of websites that accept or host
user-provided content, to upload a specially crafted file to a shared location
that is scanned by the Malware Protection Engine running on the hosting
If the affected antimalware software has real-time protection turned on, the
Microsoft Malware Protection Engine will scan files automatically, leading to
exploitation of the vulnerability when the specially crafted file is scanned.
If real-time scanning is not enabled, the attacker would need to wait until a
scheduled scan occurs in order for the vulnerability to be exploited. All
systems running an affected version of antimalware software are primarily at
The update addresses the vulnerability by correcting the manner in which the
Microsoft Malware Protection Engine scans specially crafted files.
Note: Typically, no action is required of enterprise administrators or end
users to install updates for the Microsoft Malware Protection Engine, because
the built-in mechanism for the automatic detection and deployment of updates
will apply the update within 48 hours of release. The exact time frame depends
on the software used, Internet connection, and infrastructure configuration.
The following table provides an exploitability assessment for this
vulnerability at the time of original publication.
Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service
No No Not Applicable Not Applicable Not Applicable
The following software versions or editions are affected. Versions or editions
that are not listed are either past their support life cycle or are not
affected. To determine the support life cycle for your software version or
edition, see Microsoft Support Lifecycle.
Product Platform Impact Severity
Microsoft Endpoint Protection Remote Code Execution Critical
Microsoft Forefront Endpoint Protection Remote Code Execution Critical
Microsoft Forefront Endpoint Protection 2010 Remote Code Execution Critical
Microsoft Security Essentials Remote Code Execution Critical
Windows Defender Windows 10 Version 1703 for 32-bit Systems Remote Code Execution Critical
Windows Defender Windows 10 Version 1511 for 32-bit Systems Remote Code Execution Critical
Windows Defender Windows 10 for 32-bit Systems Remote Code Execution Critical
Windows Defender Windows 8.1 for 32-bit systems Remote Code Execution Critical
Windows Defender Windows 7 for 32-bit Systems Service Pack 1 Remote Code Execution Critical
Windows Defender Windows Server 2008 for 32-bit Systems Service Pack 2 Remote Code Execution Critical
Windows Defender Windows Server 2008 for 32-bit Systems Service Pack 2 Remote Code Execution Critical
(Server Core installation)
Windows Defender Windows 10 Version 1607 for 32-bit Systems Remote Code Execution Critical
Windows Intune Endpoint Protection Remote Code Execution Critical
Only x86 or 32-bit based versions of the Malware Protection Engine are
Microsoft has not identified any workarounds for this vulnerability.
Last version of the Microsoft Malware Protection Engine affected by this
vulnerability Version 1.1.13804.0
First version of the Microsoft Malware Protection Engine with this
vulnerability addressed Version 1.1.13903.0
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently
updates malware definitions and the Microsoft Malware Protection Engine. In
order to be effective in helping protect against new and prevalent threats,
antimalware software must be kept up to date with these updates in a timely
For enterprise deployments as well as end users, the default configuration in
Microsoft antimalware software helps ensure that malware definitions and the
Microsoft Malware Protection Engine are kept up to date automatically. Product
documentation also recommends that products are configured for automatic
Best practices recommend that customers regularly verify whether software
distribution, such as the automatic deployment of Microsoft Malware Protection
Engine updates and malware definitions, is working as expected in their
How often are the Microsoft Malware Protection Engine and malware definitions
Microsoft typically releases an update for the Microsoft Malware Protection
Engine once a month or as needed to protect against new threats. Microsoft
also typically updates the malware definitions three times daily and can
increase the frequency when needed.
Depending on which Microsoft antimalware software is used and how it is
configured, the software may search for engine and definition updates every
day when connected to the Internet, up to multiple times daily. Customers can
also choose to manually check for updates at any time.
What is the Microsoft Malware Protection Engine?
The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning,
detection, and cleaning capabilities for Microsoft antivirus and antispyware
Does this update contain any additional security-related changes to
Yes. In addition to the changes that are listed for this vulnerability, this
update includes defense-in-depth updates to help improve security-related
Where can I find more information about Microsoft antimalware technology?
For more information, visit the Microsoft Malware Protection Center website.
Verify that the update is installed
Customers should verify that the latest version of the Microsoft Malware
Protection Engine and definition updates are being actively downloaded and
installed for their Microsoft antimalware products.
For more information on how to verify the version number for the Microsoft
Malware Protection Engine that your software is currently using, see the
section, "Verifying Update Installation", in Microsoft Knowledge Base Article
For affected software, verify that the Microsoft Malware Protection Engine
version is 1.1.13903.0 or later.
If necessary, install the update
Administrators of enterprise antimalware deployments should ensure that their
update management software is configured to automatically approve and
distribute engine updates and new malware definitions. Enterprise
administrators should also verify that the latest version of the Microsoft
Malware Protection Engine and definition updates are being actively
downloaded, approved and deployed in their environment.
For end-users, the affected software provides built-in mechanisms for the
automatic detection and deployment of this update. For these customers, the
update will be applied within 48 hours of its availability. The exact time
frame depends on the software used, Internet connection, and infrastructure
configuration. End users that do not wish to wait can manually update their
For more information on how to manually update the Microsoft Malware
Protection Engine and malware definitions, refer to Microsoft Knowledge Base
Tavis Ormandy of Google Project Zero
See acknowledgments for more information.
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the possibility
of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation
may not apply.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----