Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Denial-of-service vulnerability addressed in Microsoft Malware Protection Engine update


The Microsoft Malware Protection Engine that is integrated into several Microsoft anti-malware products, including Microsoft Security Essentials, was updated on Tuesday to address a vulnerability that could enable a denial-of-service (DoS).

Microsoft Forefront Client Security, Microsoft Forefront Endpoint Protection 2010, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center 2012 Endpoint Protection, Microsoft Malicious Software Removal Tool, and Windows Intune Endpoint Protection, as well as various versions of Window Defender, are among the affected software.

Microsoft has deemed the vulnerability to be “important,” meaning it could be exploited to compromise user data or processing resources, but not without user action, according to a Microsoft advisory posted on Tuesday.

“It's something that stops [Microsoft Malware Protection Engine], and then you lose those important protections on your systems,” Wolfgang Kandek, CTO of cloud security company Qualys, told on Wednesday. “I would patch it immediately.”

Exploiting the vulnerability – CVE-2014-2779 – involves scanning a specially crafted file with an affected version of Microsoft Malware Protection Engine, which results in a scan timeout, according to the advisory. Real-time protection could worsen the problem because scans are automatic.

An attacker looking to exploit this vulnerability could deliver the specially crafted file to a victim's system through a website, email or instant message, or the file could be posted to a website that hosts user content, according to the advisory.

Ultimately, a successful exploit of the vulnerability will result in Microsoft Malware Protection Engine not properly monitoring affected systems, at least not until the specially crafted file is deleted and the service is restarted, according to the post.

“No, I don't think it's easy,” Kandek said. “The attacker would have to investigate to find a file that exhibits these properties. It's a big effort, and would take an attacker quite some time, which is good because it gives us time to apply the patch as quickly as possible.”

No action is required by administrators or end users to install the update, according to the advisory, but Microsoft still suggests ensuring that systems are running Microsoft Malware Protection Engine 1.1.10701.0 or later.

At the time of the posting, Microsoft had not received information that the vulnerability was being exploited by attackers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.