-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1596
        CVE-2017-8558 | Microsoft Malware Protection Engine Remote
                       Code Execution Vulnerability
                               26 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Malware Protection Engine
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-8558  

Original Bulletin: 
   https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8558

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2017-8558

Microsoft Malware Protection Engine Remote Code Execution Vulnerability

Security Vulnerability

Published: 06/23/2017

MITRE CVE-2017-8558

A remote code execution vulnerability exists when the Microsoft Malware 
Protection Engine does not properly scan a specially crafted file, leading to
memory corruption. An attacker who successfully exploited this vulnerability 
could execute arbitrary code in the security context of the LocalSystem 
account and take control of the system. An attacker could then install 
programs; view, change, or delete data; or create new accounts with full user
rights.

To exploit this vulnerability, a specially crafted file must be scanned by an
affected version of the Microsoft Malware Protection Engine. There are many 
ways that an attacker could place a specially crafted file in a location that
is scanned by the Microsoft Malware Protection Engine. For example, an 
attacker could use a website to deliver a specially crafted file to the 
victim's system that is scanned when the website is viewed by the user. An 
attacker could also deliver a specially crafted file via an email message or 
in an Instant Messenger message that is scanned when the file is opened. In 
addition, an attacker could take advantage of websites that accept or host 
user-provided content, to upload a specially crafted file to a shared location
that is scanned by the Malware Protection Engine running on the hosting 
server.

If the affected antimalware software has real-time protection turned on, the 
Microsoft Malware Protection Engine will scan files automatically, leading to
exploitation of the vulnerability when the specially crafted file is scanned.
If real-time scanning is not enabled, the attacker would need to wait until a
scheduled scan occurs in order for the vulnerability to be exploited. All 
systems running an affected version of antimalware software are primarily at 
risk.

The update addresses the vulnerability by correcting the manner in which the 
Microsoft Malware Protection Engine scans specially crafted files.

Note: Typically, no action is required of enterprise administrators or end 
users to install updates for the Microsoft Malware Protection Engine, because
the built-in mechanism for the automatic detection and deployment of updates 
will apply the update within 48 hours of release. The exact time frame depends
on the software used, Internet connection, and infrastructure configuration.

Exploitability Assessment

The following table provides an exploitability assessment for this 
vulnerability at the time of original publication.

Publicly Disclosed 	Exploited 	Latest Software Release Older Software Release 	Denial of Service
No 			No 		Not Applicable 		Not Applicable 		Not Applicable

Affected Products

The following software versions or editions are affected. Versions or editions
that are not listed are either past their support life cycle or are not 
affected. To determine the support life cycle for your software version or 
edition, see Microsoft Support Lifecycle.

Product			Platform						Impact			Severity

Microsoft Endpoint Protection 							Remote Code Execution 	Critical

Microsoft Forefront Endpoint Protection 					Remote Code Execution 	Critical
	
Microsoft Forefront Endpoint Protection 2010 					Remote Code Execution 	Critical

Microsoft Security Essentials 							Remote Code Execution 	Critical

Windows Defender Windows 10 Version 1703 for 32-bit Systems 			Remote Code Execution 	Critical

Windows Defender 	Windows 10 Version 1511 for 32-bit Systems 		Remote Code Execution 	Critical

Windows Defender 	Windows 10 for 32-bit Systems 				Remote Code Execution 	Critical

Windows Defender 	Windows 8.1 for 32-bit systems 				Remote Code Execution 	Critical

Windows Defender 	Windows 7 for 32-bit Systems Service Pack 1 		Remote Code Execution 	Critical

Windows Defender 	Windows Server 2008 for 32-bit Systems Service Pack 2 	Remote Code Execution Critical

Windows Defender 	Windows Server 2008 for 32-bit Systems Service Pack 2 	Remote Code Execution Critical
			(Server Core installation) 

Windows Defender 	Windows 10 Version 1607 for 32-bit Systems 		Remote Code Execution 	Critical

Windows Intune Endpoint Protection 						Remote Code Execution 	Critical

Mitigations

Only x86 or 32-bit based versions of the Malware Protection Engine are 
affected.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

References Identification

Last version of the Microsoft Malware Protection Engine affected by this 
vulnerability Version 1.1.13804.0

First version of the Microsoft Malware Protection Engine with this 
vulnerability addressed Version 1.1.13903.0

Why is no action required to install this update?

In response to a constantly changing threat landscape, Microsoft frequently 
updates malware definitions and the Microsoft Malware Protection Engine. In 
order to be effective in helping protect against new and prevalent threats, 
antimalware software must be kept up to date with these updates in a timely 
manner.

For enterprise deployments as well as end users, the default configuration in
Microsoft antimalware software helps ensure that malware definitions and the 
Microsoft Malware Protection Engine are kept up to date automatically. Product
documentation also recommends that products are configured for automatic 
updating.

Best practices recommend that customers regularly verify whether software 
distribution, such as the automatic deployment of Microsoft Malware Protection
Engine updates and malware definitions, is working as expected in their 
environment.

How often are the Microsoft Malware Protection Engine and malware definitions
updated?

Microsoft typically releases an update for the Microsoft Malware Protection 
Engine once a month or as needed to protect against new threats. Microsoft 
also typically updates the malware definitions three times daily and can 
increase the frequency when needed.

Depending on which Microsoft antimalware software is used and how it is 
configured, the software may search for engine and definition updates every 
day when connected to the Internet, up to multiple times daily. Customers can
also choose to manually check for updates at any time.

What is the Microsoft Malware Protection Engine?

The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning,
detection, and cleaning capabilities for Microsoft antivirus and antispyware 
software.

Does this update contain any additional security-related changes to 
functionality?

Yes. In addition to the changes that are listed for this vulnerability, this 
update includes defense-in-depth updates to help improve security-related 
features.

Where can I find more information about Microsoft antimalware technology?

For more information, visit the Microsoft Malware Protection Center website.

Suggested Actions

Verify that the update is installed

Customers should verify that the latest version of the Microsoft Malware 
Protection Engine and definition updates are being actively downloaded and 
installed for their Microsoft antimalware products.

For more information on how to verify the version number for the Microsoft 
Malware Protection Engine that your software is currently using, see the 
section, "Verifying Update Installation", in Microsoft Knowledge Base Article
2510781.

For affected software, verify that the Microsoft Malware Protection Engine 
version is 1.1.13903.0 or later.

If necessary, install the update

Administrators of enterprise antimalware deployments should ensure that their
update management software is configured to automatically approve and 
distribute engine updates and new malware definitions. Enterprise 
administrators should also verify that the latest version of the Microsoft 
Malware Protection Engine and definition updates are being actively 
downloaded, approved and deployed in their environment.

For end-users, the affected software provides built-in mechanisms for the 
automatic detection and deployment of this update. For these customers, the 
update will be applied within 48 hours of its availability. The exact time 
frame depends on the software used, Internet connection, and infrastructure 
configuration. End users that do not wish to wait can manually update their 
antimalware software.

For more information on how to manually update the Microsoft Malware 
Protection Engine and malware definitions, refer to Microsoft Knowledge Base 
Article 2510781.

Acknowledgments

Tavis Ormandy of Google Project Zero

See acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the possibility
of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages so the foregoing limitation
may not apply.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWVB3c4x+lLeg9Ub1AQhHoA/+PiHdNWVNR38uTnSfR81Z93dXWWO0i8E/
a+W7seeq2EVZ1Y+zsyBhilvRJYEKG1a5xxm/bZeMubr8G00HR/FMR+sPyVwdgKB/
Rwy/vuXt8bQOWUSQi0lKamcNRplXBYXtHHzZaN9w/Jt88EAcp9TcNIMLES9Cly/f
n7I1qk3/latyKPAsCz1ttRZTwgWbC22t0rMaFHkm89znwrl7z7WbSggfgebPAt8u
n+DWcRWzhKsYZM6rUDlRV98WCwolbkQoXt4NWJS98qcujqvIk8sQsrUBBCFTqMyt
LTY9oOyEtOcrxqN3/75orWBSi26lMmQE8m++67Njj1xhtTXmX30sHpw+v+NmjUTb
u17bbKSX9wDK9Oye7tNXefM0jO9+2Hi2XblIATwwc7T8Ax7UipOwYKTITLP2smGa
x+I65FhE6xOnVJKVhXITWDulywfaDYFGH0Fm6Vx/Id0yKPMQBXA78qPpJl2/wmbF
bEmd/AzOvt4sTOv8PBVR9SJFcBj/XCJ+6OzKUipFP3ITUc+hNJY/WpQrxNWadMOE
7oJlErTEKYjT3C0C84UZvUDr8skOZwmZeApAPgq9ZENaxYoFI8q4b3B8GS8QnyX4
nRTbeDz2KrwZrOuWKrOc7rhl3mhkDgnaIYX6PoyRG+pFWkLvHDGxiVIC2bPkuOxe
O7xfobFTGDs=
=cRYq
-----END PGP SIGNATURE-----