Microsoft patched more Malware Protection Engine bugs last week

Microsoft has broken out of its usual cycle to patch more Malware Protection Engine bugs notified privately by Google Project Zero.

Project Zero's Mateusz Jurczyk didn't turn up just one “crazy bad” bug: while the new bugs are all named either “Microsoft Malware Protection Engine Denial of Service Vulnerability” or “Microsoft Malware Protection Engine Remote Code Execution Vulnerability”, there are eight individual bugs covered in Microsoft's announcement.

They're all different angles on the same kind of vulnerability: get the Malware Protection Engine to scan a crafted file, and you can either hose it or crash it through memory corruption.

The individual bugs are CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8538, CVE-2017-8539, CVE-2017-8540, CVE-2017-8541 and (phew!) CVE-2017-8542.

The bugs are described at Project Zero here.

Jurczyk notes that the remote code execution bugs rest on memory corruption issues, while null pointer dereferences, divide-by-zero and infinite recursion bugs only pose a denial-of-service risk.

Enterprise users of the Microsoft Malware Protection Engine shouldn't need to do anything, because the fixes should land automatically. Microsoft issued the patches before making its announcement. ®