Launch Printer Friendly Page Security TechCenter > > Microsoft Security Advisory (2491888)

Microsoft Security Advisory (2491888)

Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of Privilege

Published: | Updated:

Version: 1.1

General Information

Executive Summary

Microsoft is releasing this security advisory to help ensure customers are aware that an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid logon credentials has created a specially crafted registry key. An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.

Since the Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products, the update to the Microsoft Malware Protection Engine is installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install this update, because the built-in mechanism for the automatic detection and deployment of this update will apply the update within the next 48 hours. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Advisory Details

Issue References

For more information about this issue, see the following references:

CVE ReferenceCVE-2011-0037
Last version of the Microsoft Malware Protection Engine affected by this vulnerabilityVersion 1.1.6502.0*
First version of the Microsoft Malware Protection Engine with this vulnerability addressedVersion 1.1.6603.0**

*This version is the last version of the Microsoft Malware Protection Engine that is affected by the vulnerability.

**If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Affected Software and Severity Ratings

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

The Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products. Depending upon which affected Microsoft anti-malware product is installed, this update may have different severity ratings. The following severity ratings assume the potential maximum impact of the vulnerability.

Affected Software

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Anti-malware SoftwareMicrosoft Malware Protection Engine Vulnerability - CVE-2011-0037
Windows Live OneCareImportant 
Elevation of Privilege
Microsoft Security EssentialsImportant 
Elevation of Privilege
Microsoft Windows DefenderImportant 
Elevation of Privilege
Microsoft Forefront Client SecurityImportant 
Elevation of Privilege
Microsoft Forefront Endpoint Protection 2010Important 
Elevation of Privilege
Microsoft Malicious Software Removal Tool[1]Important 
Elevation of Privilege

[1]Applies only to February 2011 or earlier versions of the Microsoft Malicious Software Removal Tool.

Non-Affected Software

Anti-malware Software
Microsoft Antigen for Exchange
Microsoft Antigen for SMTP Gateway
Forefront Security for Exchange Server
Forefront Protection 2010 for Exchange Server
Forefront Threat Management Gateway 2010
Microsoft Forefront Security for SharePoint
Forefront Security for Office Communications Server
Microsoft Standalone System Sweeper (part of Microsoft Diagnostics and Recovery Toolset)

Exploitability Index

Frequently Asked Questions (FAQ) About this Advisory

FAQ for Microsoft Malware Protection Engine Vulnerability - CVE-2011-0037

Mitigating Factors and Suggested Actions

Other Information


Microsoft thanks the following for working with us to help protect customers:

  • Cesar Cerrudo of Argeniss for reporting the Microsoft Malware Protection Engine Vulnerability (CVE-2011-0037)

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.



  • Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
  • Microsoft TechNet Security provides additional information about security in Microsoft products.


The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • V1.0 (February 23, 2011): Advisory published.
  • V1.1 (March 8, 2011): Revised advisory FAQ to announce updated version of the MSRT and added Forefront Security for Exchange Server to the list of non-affected software.