{"id":10771,"date":"2017-12-08T08:30:08","date_gmt":"2017-12-08T16:30:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/08\/news-4543\/"},"modified":"2017-12-08T08:30:08","modified_gmt":"2017-12-08T16:30:08","slug":"news-4543","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/12\/08\/news-4543\/","title":{"rendered":"Microsoft quietly repairs Windows Defender security hole CVE-2017-11937"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 08 Dec 2017 07:23:00 -0800<\/strong><\/p>\n

Many malware researchers were surprised to find an unexpected patch on their machines yesterday. It didn\u2019t arrive through the front door \u2014 Windows Update wasn\u2019t involved. Instead, the new version of mpengine.dll arrived automatically, around the back, even if you have Windows Update turned off.<\/p>\n

This vulnerability is particularly nasty. If the Malware Protection Engine scans a jimmied file, the file can take over your computer and run whatever it wants. Since the MPE routinely runs all the time, in the background, that means a bad file could infect your computer in myriad ways. To quote Microsoft\u2019s Security Vulnerability notice<\/a>:<\/p>\n

There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.<\/p>\n

\u2026 and that, my friend, is one whopper of a security hole. It\u2019s easily on a par with the bug in the Malware Protection Engine’s JavaScript engine that I talked about on May 9<\/a>.<\/p>\n

The list of affected systems<\/a> reads like a who\u2019s who of the Windows world: All versions of Win10, 8.1 and 7, Win RT 8.1, Server 2016, Forefront Endpoint Protection, Exchange Server, Server 2008 R2 with Desktop Experience. Those are only the supported versions of Windows. WinXP appears to be vulnerable as well, although there\u2019s no fix being distributed.<\/p>\n

Catalin Cimpanu at bleepingcomputer has more details<\/a>, including a pedigree that traces the discovery of the flaw to the U.K. National Cyber Security Centre. He lists three additional \u201ccrazy bad\u201d security holes in mpengine.dll from earlier this year.<\/p>\n

To see if you\u2019ve been updated properly, bring up Windows Defender. (I have instructions for Win 7, 8.1 and 10 in my May 9 report<\/a>.) If you see Engine Version 1.1.14306 (screenshot) your machine hasn\u2019t caught up yet.<\/p>\n

If your machine isn\u2019t yet up to the latest version, 1.1.14405.2, I strongly suggest that you not touch the machine until it updates itself. Go get a cup of coffee, and it\u2019ll likely be done by the time you\u2019re back.<\/p>\n

Join us for more patching fun \u2018n games on the AskWoody Lounge<\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 08 Dec 2017 07:23:00 -0800<\/strong><\/p>\n

\n
\n

Many malware researchers were surprised to find an unexpected patch on their machines yesterday. It didn\u2019t arrive through the front door \u2014 Windows Update wasn\u2019t involved. Instead, the new version of mpengine.dll arrived automatically, around the back, even if you have Windows Update turned off.<\/p>\n

This vulnerability is particularly nasty. If the Malware Protection Engine scans a jimmied file, the file can take over your computer and run whatever it wants. Since the MPE routinely runs all the time, in the background, that means a bad file could infect your computer in myriad ways. To quote Microsoft\u2019s Security Vulnerability notice<\/a>:<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-10771","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10771"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10771\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10771"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}