[ISN] MS malware engine vulnerable to malware

From: InfoSec News (alerts@private)
Date: Thu Feb 15 2007 - 00:10:20 PST


By Andrew Thomas
14 February 2007

OH DEAR, OH DEAR. If there was one piece of software you'd expect to be 
secure from malware attacks it would have to be malware protection 
software itself. Sadly, this is not the case with Microsoft Defender, 
the software giant's all-singing, all-dancing user security package.

According to security bulletin CVE-2006-5270 - Microsoft Malware 
Protection Engine Vulnerability, Integer overflow in the Microsoft 
Malware Protection Engine (mpengine.dll), as used by Windows Live 
OneCare, Antigen, Defender, and Forefront Security, allows user-assisted 
remote attackers to execute arbitrary code via a PDF file. All the 
following are at risk of remote code execution:

Windows Live OneCare
Microsoft Antigen for Exchange 9.x
Microsoft Antigen for SMTP Gateway 9.x
Microsoft Windows Defender
Microsoft Windows Defender x64 Edition
Microsoft Windows Defender in Windows Vista
Microsoft Forefront Security for Exchange Server
Microsoft Forefront Security for SharePoint

According to the bulletin rated 'critical' a remote code execution 
vulnerability exists in the Microsoft Malware Protection Engine because 
of the way that it parses Portable Document Format (PDF) files. An 
attacker could exploit the vulnerability by constructing a specially 
crafted PDF File that could potentially allow remote code execution when 
the target computer system receives, and the Microsoft Malware 
Protection Engine scans, the PDF file.

To have one insecure security product could be seen as unlucky; to have 
eight looks a bit like carelessness. 

Microsoft Security Bulletin MS07-010 

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 00:26:46 PST