Exploiting this flaw is ridiculously simple as it requires an attacker to send a malformed file to the victim via various methods: email, chat message, file download, or trick the victim into accessing a malicious website hosting a weaponized JS file. The malicious file would be scanned by the Microsoft Malware Protection Engine, automatically if real-time protection is turned on, and boom. For that, we should be thankful since the remote code execution vulnerability was so easy to exploit that it would have resulted in epic pwnage. "I suspect this has never been fuzzed before", Ormandy said. Since ATP's introduction, Microsoft has broadened the range of behavior that it can inspect-for example, the Creators Update earlier this year added detection of certain suspicious kinds of memory manipulation-and this will continue with the addition of monitoring of script-based attacks and detection of keylogging. It was the third critical Windows Defender vulnerability Project Zero researchers have uncovered in the past seven weeks.
The emulator is used to execute untrusted files that could be portable executable files. With the artificial intelligence update, Microsoft said that won't happen again. According to the advisory, the account has "extensive privileges on the local computer and acts as the computer on the network".
"Microsoft says it's "hardening the Windows platform" with additional capabilities, including Windows Defender Exploit Guard, a new feature making EMET [Enhanced Mitigation Experience Toolkit] native to Windows 10".
As a testament to the ease of triggering the bug, Ormandy took special precautions in publishing some of the proof-of-concept exploits, which were linked to a file named testcase.txt.
"Note that, as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system", the expert wrote. "The testcases have been encrypted to prevent crashing your exchange server".