Microsoft Out-Of-Band Security Update Patches Malware Protection Engine Flaw

Yesterday, April 3, Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a vulnerability in the Microsoft Malware Protection Engine (MMPE).

MMPE (mpengine.dll) is the malware scanning, detection, and cleaning component of several Microsoft antivirus and antispyware programs, such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.

Vulnerability rated "critical"

A Google security researcher discovered a flaw in the MMPE component that allows attackers to execute malicious code on a Windows machine. Because the MMPE component runs with system privileges, the bug, if exploited, can grant attackers complete control over a victim's system.

Microsoft rated the vulnerability as "critical," its highest severity level. "To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine," the company said in an advisory.

Exploitation is trivial, as an attacker can host the malicious code inside JavaScript files served over a website the victim is accessing, add the malicious code to email file attachments, or send a boobytrapped file to a victim via an instant messaging client.

Because the MMPE component automatically scans all incoming files by default, no user interaction is needed to exploit the flaw.

Furthermore, on Windows 10, Windows Defender is enabled by default, so all Windows 10 systems are vulnerable out-of-the-box and will require an update.

Updates should arrive on user PCs within 48 hours

The good news is that Microsoft decoupled MMPE component updates from OS updates, meaning Microsoft can silently deliver the necessary patches without needing user interaction.

The OS maker has fixed the flaw in MMPE version 1.1.14700.5, which should be deployed on all vulnerable systems in the next 48 hours unless system admins and PC owners have specifically blocked MMPE updates via local policies.

Microsoft credited Thomas Dullien of Google Project Zero for discovering the CVE-2018-0986 vulnerability. This is the fourth similar MMPE remote code execution bug that the Project Zero team has discovered in Microsoft's Malware Protection Engine [1, 2, 3]. The UK's GCHQ spy agency found and reported a similar MMPE bug last December.