KB4022344 : Vulnérabilité à distance sur Windows Defender / MSE

Bonjour,

Une vulnérabilité à distance a été publiée concernant Windows Defender et Microsoft Security Essential pour Windows 7, Windows 8.1 et Windows 10.
Cette vulnérabilité peut permettre d'infecter l'ordinateur, à travers des fichiers malveillants, et notamment des campagnes d'emails malveillants poussant des trojans ou ransomware/rançongiciels.

Elle affecte plus particulièrement MsMpEng : https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.

Plus d'informations et explications en français : KB4022344 : Vulnérabilité à distance de Windows.

~~

Pour effectuer la mise à jour : https://support.microsoft.com/fr-fr/help/2510781/microsoft-malware-protection-engine-deployment-information


Plus d'informations sur les vulnérabilités et les implications de sécurité :
- Pour comprendre ce que sont mes vulnérabilités : Comprendre ce que sont les vulnérabilités.
- vulnérabilité



Veuillez appuyer sur une touche pour continuer la désinfection...