Bug in Windows security products could give attackers access if products scanned specific file

[peteyt 393]

Microsoft has recently fixed a bug apparently discovered by a division inside the UK British Intellegence organisation GCHQ.

The bug was in the Malware Protection Engine which is used in products such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, and Windows Intune Endpoint Protection. It was found on all currently supported Windows versions, which are Windows 7 and later.

What is interesting is a that a file designed to abuse the bug apparently just needed to be scanned to be able to possibly take control of the system. The issue being by default programs such as Windows Defender would have to scan the file trying to identify if it was a virus. This normal and important procedure would actually appear to do more harm than good in this case.

The bug is apparently a remote control execution vulnerability. The products do not scan a specially crafted file properly leading to memory corruption. This could allow an attacker to execute arbitrary code to gain control of the system

https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

[itman 1,659]

This is the fourth vulnerability found in the WD engine this year:

Quote

This is not the only critical-level fix the MMPE component received this year. There have been three other similar bugs this year alone that would have allowed attackers to remotely execute code on Windows workstations running outdated MMPE components [1, 2, 3].