The 2017 Pwnie Nominee For Best Server-Side Bug

CVE-2017-0290

Credit: Natalie Silvanovich and Tavis Ormandy

Described by Tavis as “the worst windows remote code execution”, this bug allowed remote code execution on any system running Microsoft WinDefender, which is available by default and is ironically is supposed to defend against malware. Google’s report stated that “vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service”. The engine runs as SYSTEM and is not subject to any sandboxing. It is accessible remotely via a number of critical, ubiquitous Windows services, including Exchange and the IIS web server. The vulnerability lies in the underlying x86 integrator, and can be exploited by submitting a specially crafted file, such as an email, for parsing by the engine. The file does not need to be displayed in order for the vulnerability to be exploited. Shortly after dealing with the ETERNAL* exploits and Wannacry, this vulnerability caused Microsoft to issue an emergency patch just 48 hours after it was disclosed to them.

CVE-2017-0290