Malware Vulnerabilities Found In Microsoft's Malware Protection Engine
June 18, 2014

Malware Vulnerabilities Found In Microsoft’s Malware Protection Engine

Peter Suciu for - Your Universe Online

On Tuesday Microsoft confirmed that there was a vulnerability located in the Microsoft Malware Protection Engine, which makes up of the core of several Microsoft security programs for desktops and servers, including Microsoft Forefront Client Security, Microsoft System Center 2012 Endpoint Protection, the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Windows Intune Endpoint Protection and Windows Defender.

In other words, Microsoft's anti-malware software was vulnerable to malware. Microsoft has pushed out a patch to address the vulnerability that could have led to a denial of service (DoS) attack.

"We released Security Advisory 2974294 to inform global customers about an update for the Microsoft Malware Protection Engine. This update addresses a privately disclosed issue and fixes a vulnerability that could allow a denial of service if the Microsoft Malware Protection Engine scans a specially crafted file," Dustin C. Childs, group manager for incident response communications within the Trustworthy Computing Group at Microsoft Corp., wrote on the official Microsoft Security Response Center blog. "Updates for the Microsoft Malware Protection Engine are sent through security advisories as there is typically no action required to install the update."

This particular vulnerability was discovered by Tavis Ormandy, who brought it to Microsoft's attention this week via Coordinated Vulnerability Disclosure (CVD). reported that Ormandy is an experienced bug-hunter and security researcher at Google.

Ormandy hinted at the problem this week on Twitter: "This was an interesting bug in the JavaScript interpreter in Windows Defender … (yes, it has a JS interpreter)"

In addition to a DoS attack, TomsGuide's Marshal Honorof added that the vulnerability could also allow a hacker to be able to shut down a program "or potentially freezing an entire Windows system. However, it's not clear what advantage an attacker could gain by this; simply restarting a computer and disabling Microsoft's Malware Protection Program would solve the problem."

But as Honorof also noted, perhaps just getting a user to shut down the Microsoft security suites could be part of the plan, especially if it is the only line of defense as it could "open the door for more harmful programs."

Ormandy had previously discovered a loophole in Microsoft's Windows XP software and he identified the DRM Rootkit in Ubisoft's PC game titles, including Assassin’s Creed, Splinter Cell, Rayman, and Far Cry. He also found critical vulnerabilities in Sophos anti-virus software – so Microsoft is not alone in producing software that is meant to stop malware but is itself susceptible to attack.

Since the discovery of the vulnerability to its anti-malware software Microsoft has worked to release a patch, which will be part of automatic updates in the software.

"Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration," Microsoft posted on the Microsoft Security Advisory 2974294 site.