AuthorTopic: Google 0-Day Hunters Find 'Crazy Bad' Windows RCE Flaw  (Read 1287 times)

Offline Palloy2

  • Global Moderator
  • Sous Chef
  • *****
  • Posts: 6113
    • View Profile
    • Palloy's Blog
Google 0-Day Hunters Find 'Crazy Bad' Windows RCE Flaw
« on: May 08, 2017, 05:00:00 PM »
Google 0-Day Hunters Find 'Crazy Bad' Windows RCE Flaw
May 07, 2017
Swati Khandelwal
Google Project Zero's security researchers have discovered another critical remote code execution (RCE) vulnerability in Microsoft’s Windows operating system, claiming that it is something truly bad.

Tavis Ormandy announced during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered "the worst Windows remote code [execution vulnerability] in recent memory. This is crazy bad. Report on the way."

Ormandy did not provide any further details of the Windows RCE bug, as Google gives a 90-day security disclosure deadline to all software vendors to patch their products and disclose it to the public.

This means the details of the new RCE vulnerability in Windows will likely be disclosed in 90 days from now even if Microsoft fails to patch the issue.

However, Ormandy later revealed some details of the Windows RCE flaw, clarifying that:

    The vulnerability they claimed to have discovered works against default Windows installations.
    The attacker does not need to be on the same local area network (LAN) as the victim, which means vulnerable Windows computers can be hacked remotely.
    The attack is "wormable," capability to spread itself.

Despite not even releasing any technical details on the RCE flaw, some IT professionals working for corporates have criticized the Google Project Zero researcher for making the existence of the vulnerability public, while Twitter's infosec community is happy with the work.

    "If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your organization," Project Zero researcher Natalie Silvanovich tweeted.

This is not the first time when Google's security researchers have discovered flaws in Microsoft’s products. Most recently in February, Google researchers disclosed the details of an unpatched vulnerability impacting Microsoft's Edge and Internet Explorer browsers.

Microsoft released a patch as part of its next Patch Tuesday but criticized Google for making all details public, exposing millions of its Windows users at risk of being hacked.

Microsoft has not yet responded to the latest claims, but the company has its May 2017 Patch Tuesday scheduled tomorrow, May 9, so hopefully, it will include a security patch to resolve this issue.

"The State is a body of armed men."

Offline Palloy2

  • Global Moderator
  • Sous Chef
  • *****
  • Posts: 6113
    • View Profile
    • Palloy's Blog
Re: Google 0-Day Hunters Find 'Crazy Bad' Windows RCE Flaw
« Reply #1 on: May 09, 2017, 05:42:22 PM »
Yes, it is as embarrassing as it sounds - the critical security bug was in the Windows Defender (anti-virus) sub-system !!   :laugh:

Every time you download or open a file, Defender scans it for viruses and Potentially Unwanted Programs - no wonder Windows runs so slowly.  As part of the PUP check, if it is a Java or JavaScript file, it is scanned for potentially unwanted activity.  This is good, very clever.  Unfortunately there is a bug in the code such that if you give it a specially crafted JavaScript file, it will crash the app in such a way that it will execute the attackers instructions before dying.

And it affects ALL versions of Windows since 7, so if you still use this heap of shit OS, do an Update NOW.  Then think about changing to something better than Windows.
Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner
May 08, 2017
Mohit Kumar
Microsoft's own antivirus software made Windows 7, 8.1, RT and 10 computers, as well as Windows Server 2016 more vulnerable.

Microsoft has just released an out-of-band security update to patch the crazy bad bug discovered by a pair of Google Project Zero researchers over the weekend.

Security researchers Tavis Ormandy announced on Twitter during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered "the worst Windows remote code [execution vulnerability] in recent memory."

Natalie Silvanovich also published a proof-of-concept (PoC) exploit code that fits in a single tweet.

The reported RCE vulnerability, according to the duo, could work against default installations with "wormable" ability – capability to replicate itself on an infected computer and then spread to other PCs automatically.

According to an advisory released by Microsoft, the remotely exploitable security flaw (CVE-2017-0290) exists in Microsoft Malware Protection Engine (MMPE) – the company's own antivirus engine that could be used to fully compromise Windows PCs without any user interaction.

List of Affected Anti-Malware Software

Eventually, every anti-malware software that ship with the Microsoft's Malware Protection Engine are vulnerable to this flaw. The affected software includes:

    Windows Defender
    Windows Intune Endpoint Protection
    Microsoft Security Essentials
    Microsoft System Center Endpoint Protection
    Microsoft Forefront Security for SharePoint
    Microsoft Endpoint Protection
    Microsoft Forefront Endpoint Protection

Microsoft's Defender security software comes enabled by default on Windows 7, 8.1, RT 8.1, and Windows 10, as well as Windows Server 2016. All are at risk of full remote system compromise.

Remote Code Execution Flaw in Microsoft's Malware Protection Engine

The flaw resides in the way the Microsoft Malware Protection Engine scan files. It is possible for an attacker to craft a malicious file that could lead to memory corruption on targeted systems.

Researchers have labeled the flaw as a "type confusion" vulnerability that exists in NScript, a "component of mpengine that evaluates any filesystem or network activity that looks like JavaScript," which fails to validate JavaScript inputs.

    "To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds," Google security researchers explained in a bug report posted on the Chromium forum.

Since antivirus programs have real-time scanning functionality enabled by default that automatically scans files when they are created, opened, copied or downloaded, the exploit gets triggered as soon as the malicious file is downloaded, infecting the target computer.

The vulnerability could be exploited by hackers in several ways, like sending emails, luring victims to sites that deliver malicious files, and instant messaging.

    "On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on," researchers explained.

    "This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc.) is enough to access functionality in mpengine."

The injected malicious payload runs with elevated LocalSystem level privileges that would allow hackers to gain full control of the target system, and perform malicious tasks like installing spyware, stealing sensitive files, and login credentials, and much more.

Microsoft responded to the issue very quickly and comes up with a patch within just 3 days, which is very impressive. The patch is now available via Windows Update for Windows 7, 8.1, RT and 10.

The vulnerable version of Microsoft Malware Protection Engine (MMPE) is 1.1.13701.0, and the patched version is 1.1.13704.0.

By default, Windows PCs automatically install the latest definitions and updates for the engine. So, your system will install the emergency update automatically within 1-2 days, but you can also get it installed immediately by pressing 'Check Update' button in your settings.
"The State is a body of armed men."


Related Topics

  Subject / Started by Replies Last post
1 Replies
Last post January 06, 2016, 01:19:25 PM
by Eddie
0 Replies
Last post November 01, 2016, 05:37:51 PM
by Palloy
0 Replies
Last post February 20, 2017, 05:03:33 PM
by Palloy2