5 Replies Latest reply on Aug 16, 2017 3:23 PM by woody188

    ENS: Can Anybody from MCAFEE tell us if we have to take care if customers HAVE ENS 10.X about MS Exploit in Windows Defender?

    bretzeli

      Microsoft has released a critical out-of-band security update addressing a vulnerability in the Microsoft Malware Protection Engine. A remote
      attacker could exploit this vulnerability to take control of an affected system.

      Users and administrators are encouraged to review Microsoft
      Security Advisory 4022344 (link is external)
      for details and apply the necessary
      update.

       

      To date 10.05.2017 it seems unclear for long time now.

       

      This by questions asked in Corporate Forums from Symantec and Mcafee. People
      are unsafe if they have to do something.

      • If the LEAK/Exploit/vulnerability
      • How to PATCH the vulnerability
      • IF the vulnerability” deactivated
        in any form (From WIM, Via Service, Via Registry etc.)
      • You may have some machine in your enterprise who still have it activate (Not
        deployed though deployment [Special clients], Servers with TERMINAL SERVER role
        installed, Citrix etc.!)

       

      Microsoft Says so in their FAQ and we assume they will PATCH this on Patchday
        05/2017

      Is Microsoft releasing a Security Bulletin to address this
        vulnerability?

       
      No. Microsoft is releasing this
        informational security advisory to inform customers that an update to the
        Microsoft Malware Protection Engine addresses a security vulnerability that
        was reported to Microsoft.

      Typically, no action is required of enterprise
        administrators or end users to install this update.

      Comment Butsch: Yes but that’s only VALID if you
        have Windows Defender active and NOT disabled we assume?

       

      https://technet.microsoft.com/en-us/library/security/4022344

      https://support.microsoft.com/de-ch/help/2510781/microsoft-malware-protection-en gine-deployment-information

      https://social.technet.microsoft.com/Forums/windowsserver/en-US/a4c83e56-758c-4a ce-ba0f-4e1ffdc39514/wsus-and-microsoft-security-advisory-4022344-09052017-windo ws-leak-in-all-ms-security-products?forum=winserverwsus

      https://www.us-cert.gov/ncas/current-activity/2017/05/08/Microsoft-Releases-Crit ical-Security-Update

      Registry
      key to see what version you have in Windows Defender:

      “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      Defender\Signature Updates\EngineVersion”





       


      Is Windows Defender on or
      off?

      If this key
      is „1“ then Windows Defender is INACTIVE


       

      Check if Windows Defender
      is running?

      “C:\Program
      Files\Windows Defender\MSASCui.exe”


      How to check if
      Windows Defender is running by Directory Check:

      If
      it’s ACTIVE there is Diretory called
      „C:\ProgramData\Microsoft\Windows
      Defender“


      How to check if you are safe > this
      file has to be newer than 8.5.2017 to be safe:

      "C:\ProgramData\Microsoft\Windows
      Defender\Definition
      Updates\{1F3264AD-BA13-4E95-93D5-DA22838B8633}\mpengine.dll"

      GUID
      {1F3264AD-BA13-4E95-93D5-DA22838B8633} changes with every DEF update.

      You can ONLY Update the DEF if Windows
      Defender is running.

      How to enable/select
      Windows Defender Patches in WSUS 3.X




       

      Microsoft Technet:

      Microsoft Security Advisory 4022344, Security
      Update for Microsoft Malware Protection Engine

      Published:
      May 8, 2017, Executive Summary

      Microsoft
      is releasing this security advisory to inform customers that an update to the
      Microsoft Malware Protection Engine addresses a security vulnerability that was
      reported to Microsoft.

      The
      update addresses a vulnerability that could allow remote code execution if the
      Microsoft Malware Protection Engine scans a specially crafted file. An attacker
      who successfully exploited this vulnerability could execute arbitrary code in
      the security context of the LocalSystem account and take control of the system.

      The
      Microsoft Malware Protection Engine ships with several Microsoft antimalware
      products. See the Affected Software
      section for a list of affected products. Updates to the Microsoft Malware
      Protection Engine are installed along with the updated malware definitions for
      the affected products. Administrators of enterprise installations should follow
      their established internal processes to ensure that the definition and engine
      updates are approved in their update management software, and that clients
      consume the updates accordingly.

      Typically,
      no action is required of enterprise administrators or end users to install
      updates for the Microsoft Malware Protection Engine, because the built-in
      mechanism for the automatic detection and deployment of updates will apply the
      update within 48 hours of release. The exact time frame depends on the software
      used, Internet connection, and infrastructure configuration.

      Advisory Details

      Issue
      References

      For
      more information about this issue, see the following references:

      References

      Identification

      Last version of the Microsoft Malware Protection
        Engine affected by this vulnerability

      Version 1.1.13701.0

      First version of the Microsoft Malware Protection
        Engine with this vulnerability addressed

      Version 1.1.13704.0

      *If
      your version of the Microsoft Malware Protection Engine is equal to or greater
      than this version, then you are not affected by this vulnerability and do not
      need to take any further action. For more information on how to verify the
      engine version number that your software is currently using, see the section,
      "Verifying Update Installation", in Microsoft Knowledge Base
      Article 2510781
      .

      Affected Software

      The
      following software versions or editions are affected. Versions or editions that
      are not listed are either past their support life cycle or are not affected. To
      determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

      Antimalware Software

      Microsoft Malware Protection
        Engine Remote Code Execution Vulnerability
      -
        CVE-2017-0290

      Microsoft Forefront Endpoint
        Protection 2010

      Critical 

       

        Remote Code Execution

      Microsoft Endpoint Protection

      Critical 

       

        Remote Code Execution

      Microsoft
        Forefront Security for SharePoint Service Pack 3

      Critical 

       

        Remote Code Execution

      Microsoft System Center Endpoint
        Protection

      Critical 

       

        Remote Code Execution

      Microsoft Security Essentials

      Critical 

       

        Remote Code Execution

      Windows Defender for Windows 7

      Critical 

       

        Remote Code Execution

      Windows Defender for Windows 8.1

      Critical 

       

        Remote Code Execution

      Windows
        Defender for Windows RT 8.1

      Critical 

       

        Remote Code Execution

      Windows
        Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server
        2016, Windows 10 1703

      Critical 

       

        Remote Code Execution

      Windows Intune Endpoint Protection
       

      Critical 

       

        Remote Code Execution