
Security Update for Microsoft Malware Protection Engine - tooba
https://technet.microsoft.com/en-us/library/security/4022344
======
olig15
> Mr Cluley did add, however, that he thought the Project Zero protocol for
> announcing the vulnerability - which had included information that malicious
> hackers might have found useful - had been risky. > "That can help the bad
> guys," he said.

This is just plain wrong, isn't it? I was under the impression that all of the
details on PZ are hidden until either a fix is released, or 90 days have
passed. I don't see how this could have 'helped the bad guys'.

~~~
CiPHPerCoder
A lot of people in IT (a surprisingly high portion of programmers, even) don't
understand the value of full disclosure in security research. For some reason,
they decided to export their usual arguments to decry Tavis's tweet:

[https://twitter.com/taviso/status/860679110728622080](https://twitter.com/taviso/status/860679110728622080)

The responses to his tweet calling him irresponsible are consistent with the
tone of this remark. "This can help the bad guys". Nevermind the fact that
there's no details in the tweet relating to the actual vulnerability or
exploit.

To be clear: I don't know what relationship (if any) Graham Cluley has to the
people being jerks to Tavis, and it's possible that this quote was taken out
of context. However, given the backlash Tavis's tweet summoned from some
Twitter users with inflexible opinions about disclosure ethics, and this alien
remark in the article, I'd hedge on the two being related.

~~~
Angostura
I suppose the issue that I have with that Tweet is - exactly what is its
purpose - I don't think it poses a risk, but the tone - excited?, self-
important? doesn't sit well with the idea of a professional security bod
soberly reporting a serious problem.

I just think the tone rubbed people up the wrong way.

~~~
aeleos
If people don't know that a vulnerability exists (For example: the Intel
Active Management Technology) it can be very easy for the company to just
ignore it. (Especially if it is one that reflects badly on the company)
However, if people know that a vulnerability exists, it puts the ball in the
companies court to do something about it.

However, that is just my personal opinion about the reason for Travis' tweets
(which happen every time a large vulnerability is discovered), and I have no
security background. I trust that people like Travis, who have done a lot of
work to improve security, to know how to minimize the damage from the
vulnerabilities.

------
abalos
Serious props to Microsoft for getting the fix out the door so quickly. I'm
glad that they took this seriously because this is a major vulnerability.

~~~
vesinisa
What is less impressive is that this exploit was even possible. Executing all
incoming JavaScript as root user, what the heck?

Even if they patched this one bug in the interpreter, how many more are there
that are not yet discovered / only known by dark market exploit vendors?

~~~
abalos
Very true. I wouldn't be surprised if see more patches after this one. Based
on their initial response time they seem to be taking this as seriously as it
warrants. Hopefully they move away from this model eventually - it won't be
easy to lock this down properly.

------
redcalx
Any suggestions for a good quality virus scanner in which I can have some
confidence in regarding a reasonable choice in how it operates.

If I'm understanding correctly Defender runs with high privilege and has a
very large security footprint; as such I don't think it's something I want to
run.

~~~
user5994461
>>> Any suggestions for a good quality virus scanner in which I can have some
confidence in regarding a reasonable choice in how it operates.

All antivirus operate like rootkits. It's basically a rootkit trying to block
other rootkits to install.

Microsoft has the advantage to have access to all windows API and they put a
ton of efforts in testing/compatibility. It is the least worst of all evil.

------
octo_t
Other thread is up at:
[https://news.ycombinator.com/item?id=14296959](https://news.ycombinator.com/item?id=14296959)
(although doesn't mention that MSFT have released a fix already).

------
booleandilemma
Details from Microsoft:

[https://technet.microsoft.com/en-
us/library/security/4022344](https://technet.microsoft.com/en-
us/library/security/4022344)

~~~
nailer
Hrm. Microsoft article says:

> For more information on how to verify the version number for the Microsoft
> Malware Protection Engine that your software is currently using, see the
> section, "Verifying Update Installation", in Microsoft Knowledge Base
> Article 2510781.

But the link points to [https://technet.microsoft.com/en-
us/library/security/4022344](https://technet.microsoft.com/en-
us/library/security/4022344) which doesn't include Windows 10.

Edit: guessed and found it: Start -> Windows Defender Security Centre -> (cog
icon in bottom left) -> About -> Engine Version

~~~
dsp1234
From powershell (on Windows 10/Server 2016, possibly others):

(Get-MpComputerStatus).AmEngineVersion

Also, from powershell:

Update-MpSignature

to just go ahead and run the update process

~~~
nailer
Thanks! I wish Microsoft would throw the powershell one liner in their
document, most poeple interested in this stuff would just rather do:

    
    
        Get-MpComputerStatus | select 'AmEngineVersion'
    

Than read a longwinded set of commands. PS. Cool technique with the parens.

------
davidhyde
"An attacker who successfully exploited this vulnerability could execute
arbitrary code in the security context of the LocalSystem account and take
control of the system." Why would software that is written to scan potentially
dangerous files be configured to run under the LocalSystem account? Shouldn't
it run under a least privilege account?

------
spyder
Did they only fix the type confusion or did they do something about the
unsandboxed JavaScript interpreter running as SYSTEM ?

~~~
CGamesPlay
They got this out incredibly quickly so it's likely that either they just
fixed the type confusion or that they already had a sandboxing modification
ready which they were saving for a major update but had to rush out. I don't
know the age of the defender code, but my money is on the former.

------
reallydontask
shame that the instructions for verifying the update don't apply to Windows 10

~~~
Noseshine
They do? Just check the version: Open Defender, go to Help => About, check
"Engine Version". Should be 1.1.13704.0 or higher.

~~~
mannykannot
If you assume the instructions for Windows 8 apply to windows 10, then that is
what you find. Also, the security advisory itself links to this page with the
statement "For more information on how to verify the engine version number
that your software is currently using, see the section, "Verifying Update
Installation", in Microsoft Knowledge Base Article 2510781.", but the actual
section title is "Verification of the update installation", so when I searched
for the stated section name, I did not find it. These are small mistakes, but
it is sloppy work. A person might be left wondering if there is some
Windows-10 -specific information somewhere in the rabbit-warren of links
leading from the security advisory.

