14 DAY TRIAL // A privilege escalation vulnerability has been identified in the Microsoft Malware Protection Engine used in many Microsoft anti-malware products, including the free Microsoft Security Essentials (MSE) antivirus.
Microsoft announced the vulnerability, which is identified as CVE-2011-0037, in a newly published security advisory and credits Cesar Cerrudo of Argeniss with its discovery.
The flaw is located in the mpengine.dll file which is found in Microsoft Security Essentials, Microsoft Windows Defender, Microsoft Forefront Client Security, Microsoft Forefront Endpoint Protection 2010 and Microsoft Malicious Software Removal Tool.
The vulnerability can be exploited by an attacker by adding a special registry key. If the real-time protection component of the vulnerable software is turned on, the registry key will be scanned automatically and exploitation will occur.
If it is not, the attacker will have to wait for a scheduled scan to run. There is no way of exploiting the vulnerability by manually initiating a scan.
A successful attack can result in arbitrary code being executed under LocalSystem, a default account with administrative privileges on the system.
Because the attacker already needs to have access to a limited account on the system the vulnerability it is only rated as Important.
Microsoft has issued updates for the malware protection engine via Microsoft Update. Users of MSE, Windows Defender and Forefront are advised to configure their clients to automatically check for updates.
The Malicious Software Removal Tool (MSRT) will remain unpatched for the time being, until a new version is released during the next update cycle on March 8, 2011. Attackers can't exploit the flaw by running MSRT manually.
The vulnerability was reported privately to Microsoft and the company is not aware of any technical details being publicly disclosed. In addition, no active attacks exploiting it have been detected so far.