Here's how to check if your PC got Microsoft's fix for Windows Defender bug

Security researcher Tavis Ormandy, one of Microsoft’s biggest critics, praises Microsoft for its rapid response to a newly discovered security hole

Here's how to check if your PC got Microsoft's fix for Windows Defender
Credit: Wikiuser100000

It’s like Pepsi declaring that Coke won a taste test: Google Project Zero security researchers discovered a security hole in Microsoft’s Malware Protection Engine, and two days later the Microsoft Security Response Center not only fixed the bug but also rolled out the update through the usual Windows Defender update mechanism.

The bug in the main Windows Defender program was described in Security Advisory 4022344. Chances are good your Windows computer got the fix last night.

Google Project Zero security researchers Tavis Ormandy and Natalie Silvanovich are credited with discovering the vulnerability. Ormandy tweeted that the security hole was “the worst Windows remote code exec in recent memory… crazy bad.”

After Microsoft’s quick action on the bug, Ormandy—ordinarily one of Microsoft’s biggest critics—was swift to respond. “What an amazing response, thanks so much Simon and MSRC! That was incredible work.”

The praise seems quite justified. The “wormable” hole has been plugged, and everything is now right with Microsoft Endpoint Protection, Forefront Security, Security Essentials, Intune Endpoint Protection, and all versions of Windows Defender, from Windows 7 to 8.1 to RT to Windows 10 versions 1507, 1511, 1607, and 1703.

In short, it was a stunning response to a bad bug (and one more reason why you should not turn off wuauserv, the Windows Update service).

The easiest way to make sure you got the fix is to check the version number for MsMpEng.exe, the Microsoft Malware Protection Engine. You’re looking for engine version 1.1.13704.0 or higher (1.1.13701.0 has the security hole). Here’s how to hunt down the version:

  • In Windows 7, click Start > Run, type Windows Defender, and press Enter. Click the down arrow at the top on the right and choose About Windows Defender. To manually update the engine, click the down arrow, then Check for updates.
  • In Windows 8.1, click Start and in the search box type Windows Defender. Then follow the instructions for Windows 7.
  • In Windows 10, type Windows Defender in the Cortana search box and press Enter. In the upper-right corner, click Settings. Scroll down to the bottom and your Engine version appears under Version info. If you don’t have 1.1.13704.0, go into Windows Update (Start > Settings > Update & security), then click Check for updates. The new Windows Defender update (1.243.10.0 on my 1607 PC) should appear. Wait and make sure Windows installs it.

For technical details about the security hole, read Ormandy and Silvanovich’s article on the Project Zero blog. The problem boils down to a failure of one function in a privileged kernel program to validate the argument being passed to it. As a result, a bad guy can rig nearly anything to trigger remote execution. The flaw digs into Windows using the component of MsMpEng called mpengine:

Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.

Yes, you read that correctly. MsMpEng has a JavaScript interpreter that runs directly in the kernel—and it’s in all versions of Windows. While Microsoft’s solution fixed the immediate problem, it’s pretty clear there’s still a big potential security hole. A few hours ago, Vesselin Bontchev tweeted:

Has anybody examined what Microsoft’s “fix” of the Defender vulnerability is? Did they just resolve the type confusion?

I mean, they probably didn’t suddenly add a sandbox around it or stopped running a JavaScript interpreter in the kernel?

Bottom line: Make sure Windows Defender is up to date on your system. Don’t turn off the Windows Update service. And expect to hear more about the kernel-mode JavaScript interpreter in the future.

Discussion continues on the AskWoody Lounge.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon