Microsoft's 'Malware Protection Engine' Had A Remote Code Execution Flaw

Slashdot reader Trax3001BBS shares an article from The Register: Microsoft posted an out-of-band security update Thursday to address a remote code execution flaw in its Malware Protection Engine. Redmond says the flaw, dubbed CVE-2017-11937, has not yet been exploited in the wild. Because it is an out-of-band critical fix, however, it should be installed as soon as possible. For most users, this will happen automatically.

The security hole is present in Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016... According to Microsoft, the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats. In many systems this is set to happen automatically for all new files. By exploiting a memory corruption error in the malware scanning tool, the attack file would be able to execute code on the target machine with LocalSystem privileges.

Re:

[NicknameUnavailable]

If you haven't caught on by now: Microsoft employs a form of rotating backdoor where a set of patches fix security holes but introduce new ones. It's a method to keep the backdoor secure against third parties while still allowing them access. It's technically "secure against this," unless you define "this" to mean "the backdoor" instead of "the specific implementation of the backdoor," in which case it is not and will likely never be.

Re:

[phantomfive]

Apparently you use a browser. Your security has a huge hole.

True enterprise grade

[fubarrr]

True enterprise grade bugs, now not only Apple's monopoly

Re: True enterprise grade

[Brockmire]

Apple's bugs were not Enterprise grade, they were trivial. Stop trying to make Apple look better after another epic fail.

I got a Mac instead of a Win10 laptop

[Hal_Porter]

Still, I've got to admit MS are doing a pretty decent job on security at the moment. This hole is already patched and the KRACK vulnerability was patched before it was made public

https://www.bleepingcomputer.c... [bleepingcomputer.com]

Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week's Patch Tuesday.

While Windows users were dutifully installing October 10th's Patch Tuesday security updates, little did they know they were also installing a fix for the KRACK vulnerability that was not publicly disclosed until today. This fix was installed via a cumulative update that included over 25 other updates, but didn't provide any useful info until you visited the associated knowledge basic article.

Even if you were bored enough to actually click on the More info button, you would have had to be REALLY bored to even spot a reference to a vague mention of a wireless security update in the last bullet item of the knowledge base article.

Re:

[Zero__Kelvin]

The KRACK vulnerability was fixed on every OS before it was made public. That was the whole prerequisite to it being made public. You might as well congratulate your girlfriend on waiting to get an STD until after she had sex.

Re: I got a Mac instead of a Win10 laptop

[c6gunner]

I would have been more impressed if she got an STD before she has sex.

Re: I got a Mac instead of a Win10 laptop

[Zero__Kelvin]

Yeah ... that's the point.

Re:

[Hal_Porter]

Google took didn't fix it until after it was made public. Neither did Apple. And if you have an Android device you need to wait for the vendor to release it.

https://techcrunch.com/2017/10... [techcrunch.com]

Re: I got a Mac instead of a Win10 laptop

[Zero__Kelvin]

You should be careful where you get your news. That article says Microsoft was "leading the pack" even though OpenBSD had the fix months earlier because Theodore the rat violated the agreement for all vendors to wait and fix it at the same time. Linux also already had a fix. Google and Apple both had fixes as well; they just hadn't rolled them out to every device yet. If you know anything about Android you know it is outside of Google's control, just as the Linux team can't force every distro to roll out a patch. Again, "Microsoft is leading the pack here" is a bald faced lie.

Re: I got a Mac instead of a Win10 laptop

[Brockmire]

Wow, about Theo. I wonder if that puts future disclosures at risk of being left out of early notification. Did he slip it in or was it obvious and noted in changelogs?

Translation

[slshdtisctrldbysjws]

Remote Code Execution Flaw

=

Engineered Vulnerability

The deck is stacked against us. Publicly traded companies and the federal government are the same entity. They are conspiring to throw us down into the deepest possible slavery and probably to kill/sterilize us once they have the machines to replace us.

The possibility to resolve this problem without utter chaos lasting indefinitely is closing. Those of us who realize the threat need to band together NOW and bleed this system dry with sabotage and seek to rebuild our republic.

Re:

[chill]

You joke, but The Four Nobel Truths of Buddhism are:

1) All life is suffering
2) Suffering is caused by desire
3) Eliminate desire and you eliminate suffering
4) Follow the Noble Eightfold Path to eliminate desire.

Re:

[Zero__Kelvin]

Great. Now if you would just take the final step and go "no computer" we would all appreciate it. Thanks.

Yanno

[nehumanuscrede]

I refuse to even consider anything by APK, not because of who they are but, because of how often they spam their work on here.

There is a point where advertising becomes counter-productive and I just start ignoring it or take steps to eradicate it.

Re: Mine (no bugs to date for 5++ yrs. now)

[Brockmire]

I know you have lists of domains to block, but how are you avoiding using any DNS lookups to actually speed things up? Do you have millions of entries in your hosts file? Between 4-7% of my daily DNS traffic is blocked for ads. All the good sites still need to be looked up by DNS. Which doesn't change the speed at all using your hosts shit. Stop lying about the benefits of your fucking hosts app. You're clueless with all the supposed advantages you falsely claim. It's just a fucking list aggregator, it's

Microsoft Security Flaw?

[hduff]

https://i.imgur.com/he21BvU.jp... [imgur.com]

Again!

[Chris Mattern]

"Out of band" does not mean "unscheduled", you dozy twats!