Saturday, 24 June 2017

On 04:24 by admin in    No comments
A vulnerability, which was classified as very critical, was found in Microsoft Malware Protection Engine up to 1.1.13804.0 on 32-bit. This affects an unknown function in the library mpengine.dll. The manipulation with an unknown input leads to a buffer overflow vulnerability. CWE is classifying the issue as CWE-119. This is going to have an impact on confidentiality, integrity, and availability.
The weakness was presented 06/23/2017 by Tavis Ormandy with Google as confirmed security update guide (Website). The advisory is shared for download at The public release was coordinated in cooperation with Microsoft. This vulnerability is uniquely identified as CVE-2017-8558. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $25k-$100k at the moment (estimation calculated on 06/24/2017). The advisory points out:
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We expect the 0-day to have been worth approximately $100k-$500k. The advisory illustrates:
To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.
Upgrading to version 1.1.13903.0 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published immediately after the disclosure of the vulnerability. The security update guide contains the following remark:
The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files.
The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1038783).


  • Microsoft Endpoint Protection
  • Microsoft Forefront Endpoint Protection
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Windows Intune Endpoint Protection
  • Microsoft Windows Defender


VulDB Base Score9.8
VulDB Temp Score9.4
VulDB Reliability: High


VulDB Base Score9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
VulDB Temp Score8.1 (CVSS2#E:ND/RL:OF/RC:C)
VulDB Reliability: High



Class: Buffer overflow (CWE-119)
Local: No
Remote: Yes

Availability: No

Price Prediction: steady
Current Price Estimation



Recommended: Patch
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

Upgrade: Malware Protection Engine 1.1.13903.0


06/23/2017   Advisory disclosed
06/23/2017  +0 days Countermeasure disclosed
06/23/2017  +0 days SecurityTracker entry created
06/24/2017  +1 days VulDB entry created
06/24/2017  +0 days VulDB last update

Researcher: Tavis Ormandy
Organization: Google
Status: Confirmed
Coordinated: Yes

CVE: CVE-2017-8558 ( ( (

SecurityTracker1038783 - Microsoft Forefront Endpoint Protection File Processing Flaw in Microsoft Malware Protection Engine Lets Remote Users Execute Arbitrary Code


Post a comment