Microsoft quietly patched a critical vulnerability Wednesday in its Malware Protection Engine. The vulnerability was found May 12 by Google’s Project Zero team, which said an attacker could have crafted an executable that when processed by the Malware Protection Engine’s emulator could enable remote code execution.
Unlike a May 9 emergency patch for what Google researchers called the worst Windows vulnerability in recent memory, this week’s bug was a silent fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft. The previous zero day (CVE-2017-0290) was also in the Microsoft Malware Protection Engine, running in most of Microsoft’s antimalware offerings bundled with Windows.
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”