Microsoft’s Microsoft Security Advisory 4022344 in response to MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more by taviso@google.com, was so timely as to deprive the “responsible disclosure” crowd of a chance to bitch about the notice given to Microsoft.
Two aspects of this vulnerability merit your attention.
Patched != Applied
Under Suggested Actions, the Microsoft bulletin reads:
- Verify that the update is installed
Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products.
For more information on how to verify the version number for the Microsoft Malware Protection Engine that your software is currently using, see the section, “Verifying Update Installation”, in Microsoft Knowledge Base Article 2510781.
For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.13704.0 or later.
- If necessary, install the update
Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.
For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software.
For more information on how to manually update the Microsoft Malware Protection Engine and malware definitions, refer to Microsoft Knowledge Base Article 2510781.
…
Microsoft knows its customers far better than I do and that suggests unpatched systems can be discovered in the wild. No doubt in diminishing numbers but you won’t know unless you check.
Patches As Vulnerability Patterns
You have to visit CVE-2017-0290 to find links to the details of “MsMpEng: Remotely Exploitable Type Confusion….”
Which raises an interesting use case for the Microsoft/MSRC-Microsoft-Security-Updates-API, which I encountered by by way of a PowerShell script for accessing the MSRC Portal API.
Polling the Microsoft/MSRC-Microsoft-Security-Updates-API provides you with notice of vulnerabilities to look for based on unapplied patches.
You can use the CVE links to find deeper descriptions of underlying vulnerabilities. Those descriptions, assuming you mine the sips (statistically improbable phrases), can result in a powerful search tool to find closely related postings.
Untested but searching by patterns for particular programmers (whether named or not), may be more efficient than an abstract search for coding errors.
Reasoning that programmers tend to commit the same errors, reviewers tend to miss the same errors, and so any discovered error, properly patterned, may be the key to a grab bag of other errors.
That’s an issue where tunable subject identity would be very useful.