back to article Microsoft emergency update: Malware Engine needs, erm, malware protection

Microsoft has posted an out-of-band security update to address a remote code execution flaw in its Malware Protection Engine. Redmond says the flaw, dubbed CVE-2017-11937, has not yet been exploited in the wild. Because it is an out-of-band critical fix, however, it should be installed as soon as possible. For most users, this …

  1. JimboSmith

    You couldn't make this stuff up.

    1. Craig 2

      You couldn't make this stuff up....

      That's the beauty of it: with Microsoft you don't need to!

    2. Anonymous Coward
      Anonymous Coward

      You couldn't make this stuff up.

      "You couldn't make this stuff up."

      No you can't make it up. As it turns out, the software on your computer is bloody complicated and funnily enough it isn't perfect. I don't have MS' stats but I do know that the Linux kernel is roughly 70,000 files with rather a lot of LoC.

      As it turns out, bugs happen.

      1. eldakka

        Re: You couldn't make this stuff up.

        I don't have MS' stats but I do know that the Linux kernel is roughly 70,000 files with rather a lot of LoC.

        As it turns out, bugs happen.

        I think you are missing the irony, this is not a bug in the Operating System itself, the kernel or other necessary modules/process (e.g. file system drivers) that is needed to make a computer perform useful tasks for an end-user. This is a bug in a separate non-OS application that you could - from a using the system perspective - quite happily live without. This applications specific job - it's one and only reason for existence - is to protect the user from opening files containing malware. And yet, that application, in the process of checking a file for malware, becomes the vector that enables malware to not only infect the computer, but to gain privileged access along the way.

        1. Anonymous Coward
          Anonymous Coward

          Re: You couldn't make this stuff up.

          Are you sure this MS Malware Protection Engine isn't inextricably woven into the OS? I mean, that's their usual MO...

          1. Paul 129
            Devil

            Re: You couldn't make this stuff up.

            It certainly tries to push itself down your throat. +1 to the irony meter.

            1. Danny 14

              Re: You couldn't make this stuff up.

              you can GPO windows defender and ypu dont have to use forefront. However, if you do use either then you pretty much expect antimalware not to introduce malware....

          2. Anonymous Coward
            Anonymous Coward

            Re: You couldn't make this stuff up.

            I can't quite muster up the outrage.

            In a time of throw-away-your-motherboard-and-anything-ever-connected-to-it vulns in the Intel chips, it seems almost quaint to worry about antivirus being intrinsically woven into anything as high-level as the operating system.

    3. HmmmYes

      Oh Microsoft seem to ....

  2. Terry 6 Silver badge

    Wider issue

    Underlying this, and maybe built in to the OS, is the simple fact that this programme with a specific job to do can trigger and allow the running of a programme that is unconnected. i.e. the file being scanned is allowed to climb out from under the microscope. I don't have the skills to do more than believe this is how it should be done - but surely a file being scanned shouldn't be allowed to do anything until the scan is completed.

    1. Richard 12 Silver badge

      Nope

      This is simply a bug in the scanning software itself.

      A likely cause might be a buffer overrun when it encounters a specific pattern in the file it's scanning.

    2. TrumpSlurp the Troll
      WTF?

      Re: Wider issue

      I think I'm with you on this one.

      Given that AV should isolate anything being checked, scan it and quarantine it if in doubt, how the hell does a "bug" get to execute rogue code?

      Not doing something intetesting like "Let's just run this in a sandbox and see if it tries something iffy." by any chance? Followed by "Oops!".

      Otherwise how does it get even near executing files that it is checking?

      1. Terry 6 Silver badge

        Re: Wider issue

        Thanks, yes, in my naive way I would expect any scanning software to examine the code, not run it. Otherwise it's no better than when those detectives in old American cop dramas stick a finger into the white powder and taste it.

        1. Kiwi
          Holmes

          Re: Wider issue

          Thanks, yes, in my naive way I would expect any scanning software to examine the code, not run it. Otherwise it's no better than when those detectives in old American cop dramas stick a finger into the white powder and taste it.

          Always wondered what would happen if someone tipped the cops off that cocaine was being transported in drums marked as xxx-Cyanide (the xxx being something combined with the cyanide that'd give the resulting compound a whiter colour while still leaving the lethality) - if they really did things like in the movies how many would perish before they realised tasting even a tiny amount of "strange white powder" is a very bad idea? (also IIRC wouldn't is somewhat resemble anthrax spores? (not that you're transport anthrax in large bricks but a small packet (enough for a druggy to get their fix of cocaine) of flour mixed with a few spores...)

          Even as a kid I thought "that's silly, what is someone poisons it?".

      2. Richocet

        Re: Wider issue

        That is how the software is designed (compartmentalised).

        The issue is that if the file being analysed contains some arcane pattern of data that causes the analyser to crash, then all bets are off about what happens next. That is a common tactic that hackers use on any software.

        It is not possible to test the software against every combination of data that could ever be fed to it, so the software would be vulnerable to this risk, as is the case for a lot of software.

        Some data and calculations or logic on that data need to be fed into the processor together. There is no way around that.

      3. Phil Endecott

        Re: Wider issue

        > Otherwise how does it get even near executing files that it is checking?

        Typically it could be something like: it was trying to copy N bytes from the file to memory, but N is misinterpretted as 255 instead of -1, so the bytes overwrite a location on the stack that contained a return address. So when the function returns it starts executing code from that address, which could also be from the malicious file.

        1. Boris the Cockroach Silver badge
          Facepalm

          Re: Wider issue

          Its 2017 people...

          If the above attack methods are how the malware get in.... how did the programmers of the 1990's( who were expert in never bothering to bounds check) escape into 2017 and write critical code for m$

          This deserves this icon

          1. aqk
            Facepalm

            Re: Wider M$ issue

            M$ ?? Wow I haven't seen this witty abbreviation since the days of those weenie Apple Fanbois, who were always muttering, nay, crowing about how "Bill Gates is the ANTICHRIST!"

            How's your Apple Macintosh these days? It must be middle aged by now. Just like you...

    3. John H Woods

      "surely a file being scanned shouldn't be allowed to do anything until the scan is completed"

      I completely agree but note that you could make exactly the same argument for a picture file, a document or even an http response.

      The classic case is finding an input of a size and nature that exploits a processing allowing it to overrun its process space. One technique is the so-called NOP sled... A huge number of no-op byte codes preceding the code to be executed. Then if you can cause program execution to jump anywhere into the sled range, the code following it will be run.

  3. Anonymous Coward
    Anonymous Coward

    Woo run

    Ahhhhh gotta love examples of true irony.

    Remind me again, why isn't this app compartmentalised? The virus scanning part, running as an unprivileged nobody user, blind and limbless, unable to do anything but listen to a byte stream whispered in its ear, and reply 'clean' or 'infected'?

    Ho hum. I've got some fonts to display. Better fire up kernel mode.

    1. keithzg

      Re: Woo run

      I remember security researchers inquiring about the lack of robust sandboxing in Microsoft's antimalware engine and I believe the response they got was that the Microsoft engineers understood and agreed, but hadn't be able to get that implemented yet. That was a while ago, and clearly they (or more likely, their bosses) haven't given it much priority in the intervening time.

  4. Gordon 11

    Because it is an out-of-band critical fix, however, it should be installed as soon as possible. For most users, this will happen automatically.
    Odd then that when I fire up my two Windows systems to look for this, only one of them finds it.

    And even that one has it scheduled behind a "2017-11 Cumulative Update" that has been sitting at a status of "Preparing to download - 100%" for over 15 minutes without progressing.

  5. Anonymous Coward
    Anonymous Coward

    "Microsoft notes that, because Malware Protection Engine is set up to constantly receive updates..."

    That is precisely the problem when it comes to today's Microsoft.

  6. Voland's right hand Silver badge

    Lovely article headline

    You did call it correctly - "Malware Engine".

    1. Anonymous Coward
      Anonymous Coward

      Re: Lovely article headline

      Truth in Advertising.

  7. Christian Berger

    It's a basic problem with "security software"

    Any increase in complexity means more bugs and more security critical bugs. In "security software" this is particularly bad, as that software handles data you otherwise wouldn't handle.

  8. Anonymous Coward
    Anonymous Coward

    maybe ... just maybe we need better hardware ?

    Buffer overrun exploits are as old as the hills and rely on the fact that the hardware allows them, surely ?

    1. Anonymous Coward
      Anonymous Coward

      Re: maybe ... just maybe we need better hardware ?

      I'm not sure I agree. Would this mean that more hardware is out of the control of the user/administrator? Imho, that would be the last thing we need. I don't want more ME type issues. I want more access to hardware and the firmware that runs it. I know software can be hard to get right, but buffer overflows and many other bugs have been an issue since the beginning of software. I believe education is the issue. I also think that although everyone deserves the same shot at going as far as they possibly can with a great education that educational standards have fallen over the last 40 years.

      I work as neither a programmer nor a sys admin, but if my education premise holds true for those fields as well then there are too many programmers and admins who should be doing other things; but, a flooded market certainly helps drive down wages for all but the very best in any field and maybe them too.

      1. Christian Berger

        Re: maybe ... just maybe we need better hardware ?

        "I'm not sure I agree. Would this mean that more hardware is out of the control of the user/administrator? Imho, that would be the last thing we need. I don't want more ME type issues. "

        No, ME/SecureBoot/etc aren't security features. This would work a lot more differently.

        Essentially you'd have something like tagged type architectures where the CPU stores values along with their types. Essentially the CPU would be able to know where memory areas end. Additionally you could add tags like "private, not to be put on the network", and functions that encrypt data could add an "encrypted data" tag to it. That way you could put a filter on your network card to only let out private data that's encrypted. Such filters could even work in hardware.

        However the big problem is that you loose all compatibility with existing systems. Considering the number of written from scratch full blown operating systems having been developed in the last 20 years was 0, that's quite some work to do.

        1. Richard 12 Silver badge

          We do. It can't cover everything.

          There are constructs using CPU traps (eg exceptions) that allow the CPU to catch many such issues.

          However, given that the only thing the OS can do is to kill the offending process, the cure can be worse than the disease.

          Aside from that, the CPU often isn't even involved as these are DMA transfers.

          1. Christian Berger

            Re: We do. It can't cover everything.

            "Aside from that, the CPU often isn't even involved as these are DMA transfers."

            Obviously the DMA also would need to comply to this, you couldn't just plug in any old PCI-card.

    2. grumpy-old-person

      Re: maybe ... just maybe we need better hardware ?

      When I was still young there were many projects that proposed solutions that provided protection in hardware - IBM's SWARD had hardware protection against 19 of 21 programming issues (if my failing memory is correct :) ).

      As I recall, the hardware technology at the time was just not powerful enough to make any of these proposals yield acceptable performance - although I am reminded of the comment in "The Elements of Programming Style" that turning off (software) array-bounds checking allowed the generation of faulty results as fast as possible.

      Perhaps we should be digging out research material from way back and reexamining it for implementation now.

  9. Colin McKinnon

    Is it just me?

    ....Millenium Edition,

    Myalgic Encephalomyelitis,

    Management Engine

    and now Malware Engine

    1. Anonymous Coward
      Anonymous Coward

      Re: Is it just me?

      It's all part of Trump's evil agenda.

      I know I shouldn't joke about that as I do believe he has an evil agenda and I don't want to diminish those real issues, but it's just so tempting.

  10. Hans 1

    It is 2017, and a Windows box can be owned by specially crafted file

    No user action required, just put a site up that serves the file as content of a page, such as, a fake image file. ==> \ - /

  11. adam payne

    A malware scanner than scans the file, subsequently executes it and infects.

    Absolutely brilliant!

  12. RyokuMas
    Coat

    Hello, Kim Jon Un...

    Microsoft want volunteer their foot as a target for one of your latest rockets - but on the condition they get to press the launch button themselves...

    Seriously, this has to stop - I'm running out of suitably huge "shoot yourself in the foot" analogies!

  13. spot

    Is suppose users could replace Microsoft Defender with the rather more trustworthy Kaspersky product?

  14. Anonymous Coward
    Anonymous Coward

    Shoot in foot

    Nah, Microsoft lets you shoot everyone in the foot in one go.

    To take the analogy further, the fellow on Earth-113 who is still using Windows 98SE will find that the rogue update he installed using the tunneling scanner caused the system to break because it fixed a vulnerability that never got added because the programmer went on holiday a day earlier and the rest of the team picked up the glaring error(s) and fixed them before release.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like