Severity: High
13 February, 2007
Summary:
Today, Microsoft released a security bulletin describing an integer overflow vulnerability in Microsoft’s Malware Protection Engine, the scanning engine Microsoft’s latest security products use. By sending an email containing a specially crafted PDF attachment, an attacker could exploit this flaw to execute code and gain total control of any computer running Windows Live OneCare, Windows Defender, Microsoft Antigen, or Microsoft Forefront Security. Since the Malware Protection Engine software scans incoming files automatically, the attack could succeed even if the targeted victim does not interact with the malicious PDF file. If you use any of Microsoft’s vulnerable security products in your network, you should download, test, and apply the appropriate patch immediately.
Exposure:
Microsoft’s Malware Protection Engine provides the scanning, detecting, and cleaning capabilities for the following Microsoft security products:
- Windows Live OneCare
- Windows Defender
- Microsoft Forefront Security
- Microsoft Antigen
According to Microsoft’s security bulletin, the Malware Protection Engine suffers from an integer overflow vulnerability due to its improper handling of specially malformed PDF documents. By sending an email containing a specially crafted PDF attachment, an attacker can exploit this integer overflow to gain complete control of any computer running Microsoft’s security software. Since the Malware Protection Engine scans incoming files automatically, this sort of attack would succeed even if no one interacts with the malicious email. Once the engine scans the infected email, the attacker gains full control without any help from the unsuspecting victim. Furthermore, the Malware Protection Engine also scans files that pass via HTTP. This means an attacker might also exploit this flaw by hosting his malicious file on a Web site.
Severity: High
13 February, 2007
Summary:
Today, Microsoft released a security bulletin describing an integer overflow vulnerability in Microsoft’s Malware Protection Engine, the scanning engine Microsoft’s latest security products use. By sending an email containing a specially crafted PDF attachment, an attacker could exploit this flaw to execute code and gain total control of any computer running Windows Live OneCare, Windows Defender, Microsoft Antigen, or Microsoft Forefront Security. Since the Malware Protection Engine software scans incoming files automatically, the attack could succeed even if the targeted victim does not interact with the malicious PDF file. If you use any of Microsoft’s vulnerable security products in your network, you should download, test, and apply the appropriate patch immediately.
Exposure:
Microsoft’s Malware Protection Engine provides the scanning, detecting, and cleaning capabilities for the following Microsoft security products:
- Windows Live OneCare
- Windows Defender
- Microsoft Forefront Security
- Microsoft Antigen
According to Microsoft’s security bulletin, the Malware Protection Engine suffers from an integer overflow vulnerability due to its improper handling of specially malformed PDF documents. By sending an email containing a specially crafted PDF attachment, an attacker can exploit this integer overflow to gain complete control of any computer running Microsoft’s security software. Since the Malware Protection Engine scans incoming files automatically, this sort of attack would succeed even if no one interacts with the malicious email. Once the engine scans the infected email, the attacker gains full control without any help from the unsuspecting victim. Furthermore, the Malware Protection Engine also scans files that pass via HTTP. This means an attacker might also exploit this flaw by hosting his malicious file on a Web site.
Neel Mehta, an X-Force research engineer, and Alex Wheeler, a former X-Force team member, originally discovered this scanning engine flaw. They have found flaws in antivirus (AV) scanning engines since 2005. If you’d like to read more about problems in antivirus, check out our interview with them from Black Hat 2005, “Antivirus: Solution, or Problem?“
Solution:
Microsoft has released updates correcting this vulnerability. The affected Microsoft security products all receive updates automatically. As long as you have not disabled automatic updates, you should have already received the patch. If you have disabled AutoUpdate or Microsoft Update for the Microsoft Antivirus client software, you need to either re-enable AutoUpdate or update the Microsoft Antivirus client software manually to obtain the updated Microsoft Malware Protection engine. To update the Microsoft Antivirus client software manually, follow the product documentation provided with the affected software. Unfortunately, Microsoft does not provide any direct links to these updates.
Status:
Microsoft has released fixes for this issue.