New Remote Code Execution bug poised to be “Crazy Bad” for unpatched Windows Operating Systems.

UPDATE: As of 9th May 2017 the Remote Code Execution bug has been assigned a CVE ID (CVE-2017-0290) and a security patch has been released by Microsoft (https://technet.microsoft.com/library/security/4022344). The bug was discovered within the mpengine, which is used primarily by the following Microsoft Windows software:

  • Microsoft Endpoint Protection 2010
  • Microsoft Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender for Windows 7
  • Windows Defender for Windows 8.1
  • Windows Defender for Windows RT 8.1
  • Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
  • Windows Intune Endpoint Protection

If any of the systems you have in operation house any of the effected software it is highly recommended that you ensure that the software is updated as soon as possible. Upon successful installation of the update the engine version number for the effected software will match or exceed version 1.1.9506.0.

Patch Management is essential in ensuring that your IT Infrastructure is protected and should be considered a top priority. Should you wish to discuss this further please do not hesitate to contact us at: Enquiry@Zepko.com.

Original Story

On 6th May 2017 two of Googles vulnerability researchers (Natalie Silvanovich and Tavis Ormandy) discovered a Remote Code Execution vulnerability within Microsoft Windows Operating Systems, which could be used to inject malicious code into a victims system with the intention of privilege escalation and data theft/modification.

As of 8th May 2017 the google researchers have been reserved in what information they release about the discovered bug as it is believed that the vulnerability is unpatched at this time. However a report is said to be incoming, most likely after Microsofts scheduled May security patch update. This would provide Microsoft with the opportunity to implement a fix for the vulnerability into the patch before 9th May 2017 (when the security update is said to be released).

There was however several crucial details that were released that prove very troubling for anyone operating Windows Systems, the released details are:

  • The attacker and the victim don’t necessarily need to be on the same LAN, meaning the exploit could potentially be used from anywhere and the attacker would not have to already be in the victim’s network.
  • The attack works on a default Windows install, meaning victims don’t need to install extra software on their systems to become vulnerable, they would be vulnerable with even the most basic operating system configuration.
  • The attack is “Wormable”, meaning it can self-replicate through additional connected systems.

Ultimately if you are one of the millions of people or organisations that could be adversely effected by the discovery of such a high impact vulnerability then close monitoring of this situation is essential.  Zepko will continue to monitor this situation and post updates from our twitter account (@ZepkoSecurity).

If you would like to talk to an Zepko Analyst about if you are vulnerable to such a cyber-attack please do not hesitate to contact us at: Enquiry@Zepko.com.

References:

https://www.bleepingcomputer.com/news/security/google-researchers-find-wormable-crazy-bad-windows-exploit/

https://technet.microsoft.com/en-us/library/security/4022344

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0290

https://support.microsoft.com/en-us/help/2510781/microsoft-malware-protection-engine-deployment-information