Travis Ormandy (security researcher from Google’s Project Zero) has discovered a new security flaw in Windows. After he published what he named a “worst vulnerability” in Windows earlier this month, now he is back again with another critical vulnerability in Microsoft’s Windows Defender.
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”
MsMpEng.exe is a core process of Windows Defender, which is Microsoft’s antispyware utility. It scans downloaded files for spyware; if any suspicious items are found, it can quarantine or remove them. It also takes steps to actively prevent spyware infections by searching the system for known worms and trojan programs.
This flaw makes the MsMpEng engine opened to different issues such as providing attackers with the ability to perform multiple control commands enabling the applications that are executed in MsMpEng’s emulator to control the emulator by involving the remote code execution when Windows Defender scanned an executable file sent by email.
Microsoft quietly patched the vulnerability in its Malware Protection Engine. Windows users don’t have to take any step if their security software is set to the default, the updates will be installed automatically to their engines.