Another critical patch was issued for a flaw in Microsoft's Malware Protection Engine, though this one was distributed quietly.
Another critical patch was issued for a flaw in Microsoft's Malware Protection Engine, though this one was distributed quietly.

Last Wednesday, Microsoft issued a patch for a critical vulnerability in its Malware Protection Engine, part of Microsoft Security Essentials (MSE), the company's free anti-malware package, according to an article on Kaspersky Lab's Threat Post.

The flaw was first detected on May 12 by Google's Project Zero team, which said the bug could allow remote attackers to create an executable that could cause the emulator within the Malware Protection Engine to initiate remote code execution.

Microsoft issued the patch on the down low after being notified privately by Tavis Ormandy of Google's Project Zero team.

“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables," Ormandy explained. "The emulator runs as NT AUTHORITY\SYSTEM and isn't sandboxed. Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”

The bug made the MsMpEng engine susceptible to a number of issues, including enabling attackers to manipulate a number of  input/output control commands – such as change execution parameters, set and read scan attributes and UFS metadata, Ormandy wrote.

"From what I can tell, Microsoft silently patched this [on May 24] in mpengine 1.1.13804.0," Ormandy said in a comment on his own post.  

This patch is separate from another emergency patch that was issued by Microsoft on May 9, though that one also addressed a flaw in the Microsoft Malware Protection Engine. In a tweet, Ormandy dubbed that one “crazy bad.”

The more recent patch addresses "the way the emulator processes files, whereas the previous vulnerability was tied to the MsMpEng's JavaScript interpreter," the ThreatPost article explained.

Microsoft did not issue a security advisory for this latest bug. Users received the fix to their engines automatically (if preferences were set to default).