For the past few years the Symantec Web Isolation team (formerly Fireglass) has warned customers that web browsers are dangerous because malicious websites exploit browser vulnerabilities to infect endpoints. We developed our Web Isolation platform with the mindset that all web content is potentially malicious and therefore the safest approach for preventing attacks is to execute and render web sessions remotely, away from users’ devices. A new and dangerous vulnerability in the Microsoft Malware Protection Service (MsMpEng) highlights the advantages of Symantec Web Isolation. Discovered by the Google Project Zero team, the MsMpEng vulnerability (CVE-2017-0290) enables attackers to infect user computers with a Windows OS without users having to open an email or an attachment, or knowingly downloading a file from a website. Basically, it’s a security nightmare.
About the MsMpEng Vulnerability
MsMpEng is a core engine of Windows Defender, Microsoft’s malware utility. It is enabled by default on Windows 8, 8.1, 10, Windows 2012 and more. Additional Microsoft security products such as Microsoft Security Essentials also share this engine. Mpengine.dll is a key component of MsMpEng and is responsible for scanning and analysis of any file on the Windows operating system, including emails, attachments, and web page resources downloaded by a browser (such as JavaScript, Flash, fonts, images, and cascading style sheets).
The vulnerability discovered in MsMpEng enables attackers to access mpengine.dll via a malicious file downloaded from a website or via an email. This malicious file is specially crafted to take advantage of the MsMpEng vulnerability. MsMpEng is accessible to attackers because it uses a file system minifilter to intercept and inspect all system file activity. This means that all content written to the workstation’s disk such as cache, temporary internet files, downloads (confirmed and unconfirmed), and attachments can potentially access functionality in mpengine.dll.
When a specially crafted file, such as a Cascading Style Sheet (CSS), is delivered to the workstation, it crashes the MsMpEng process and jumps directly to an address from which the attacker can remotely execute highly privileged instructions on the workstation.
What makes this vulnerability both interesting and dangerous?
There are several reasons why this vulnerability is cause for alarm:
- First of all, enabling MsMpEng to run periodic scans is considered to be a security best practice. For this reason, a vulnerability in this service impacts nearly everyone using a Windows OS. MsMpEng runs under SYSTEM permissions without sandboxing and is remotely accessible through services like IIS, Exchange, and other Windows services.
- Attackers can take advantage of this vulnerability just by sending an email, without requiring users to open the email or an attachment. A specially crafted email sent to the user is automatically downloaded via the user’s email client and then persists on the workstation’s hard disk. When the email is scanned by MsMpEng it crashes the service thereby leaving the user’s hard drive vulnerable to further attacks.
- Attackers can also exploit the MsMpEng vulnerability by using web page rendering resources such as CSS, font, and images. When a user navigates to a malicious site, the browser automatically downloads these files behind the scenes to the hard drive. When scanned by MsMpEng, they crash the service. To make things worse, existing proxy or browser security measures are not able to block these files.
See the exploit in action
The above video demonstrates how an attack can occur when a user visits a website. The web browser (in this example, Chrome) automatically downloads a specially crafted file, a cascading style sheet (CSS), to its browser cache directory. When MsMpEng detects and scans the file, the MsMpEng vulnerability kicks in. The vulnerability crashes the MsMpEng process and directly jumps to an address from which the attacker can remotely run commands on the affected workstation.
How can Symantec Web Isolation protect your enterprise from sophisticated threats?
The MsMpEng vulnerability highlights why Symantec Web Isolation is the only isolation solution that can protect your enterprise from this dangerous vulnerability in the Microsoft Malware Protection Service.
Isolation for websites: With Symantec Web Isolation websites are executed rendered remotely. Unlike other solutions, with Symantec no internet content, not even temporary internet files, can reach endpoints.
Web Isolation for email: Symantec Web Isolation integrates with mail servers to provide protection from malicious links. When an email is sent to a user, it isolates and rewrites all links to redirect through the isolation platform.
Links in emails are transformed to redirect to the isolation platform (cloud or on-prem). When the user clicks on a link to a website, the web session is isolated and no web content (including HTML resources such as CSS, font, and image files) reaches the endpoint.
Symantec Web Isolation agentless solution integrates with Symantec ProxySG and additional security products to provide enterprises with protection from malicious websites while providing a transparent and seamless browsing experience.