On Wednesday, Microsoft announced an emergency security patch, CVE-2017-11937, that addresses a remote code execution bug in its malware protection engine, mpengine.dll. According to Microsoft, “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The company added, “For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
Affected Microsoft Products include:
- Windows Defender in Windows 7, Windows 8.1, Windows 10,
- Microsoft Security Essentials
- Endpoint Protection
- Forefront Endpoint Protection
- Exchange Server 2013 and 2016
It is important to note that WinXP may also be affected, but is no longer supported by Microsoft and thus, no fix is being distributed for this version of the operating system.
Because of the severity of the vulnerability, Microsoft did not use Windows Update, electing instead to automatically deliver an updated version of mpengine.dll, regardless of whether Windows Updates was turned on or not.
This is the latest issue to plague Microsoft’s malware protection engine and has cybersecurity experts revisiting earlier criticism that Microsoft didn’t sandbox Windows Defender. This is a common practice to isolate specific software from the rest of the computer, thereby minimizing the probability that a critical vulnerability, such as this one, could affect the entire operating system.
Microsoft can thank the U.K. National Cyber Security Centre intelligence agency for the discovery of this vulnerability. To date, there are no known exploits, and applying the patch as quickly as possible is the best way to eliminate the threat.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.