Launch Printer Friendly Page Security TechCenter > > Microsoft Security Advisory (2846338)

Microsoft Security Advisory (2846338)

Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution

Published:

Version: 1.0

General Information

Executive Summary

Microsoft is releasing this security advisory to help ensure customers are aware that an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take complete control of the system.

This vulnerability has been publicly disclosed as a denial of service.

The Microsoft Malware Protection Engine is a part of several Microsoft antimalware products. See the Affected Software section for a list of affected products. Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within the next 48 hours. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Mitigating Factors:

  • Only x64-based versions of the Malware Protection Engine are affected.

Advisory Details

Issue References

For more information about this issue, see the following references:

ReferencesIdentification
CVE ReferenceCVE-2013-1346
Last version of the Microsoft Malware Protection Engine affected by this vulnerabilityVersion 1.1.9402.0
First version of the Microsoft Malware Protection Engine with this vulnerability addressedVersion 1.1.9506.0*

*If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

The Microsoft Malware Protection Engine is a part of several Microsoft antimalware products. Depending upon which affected Microsoft antimalware product is installed, this update may have different severity ratings. The following severity ratings assume the potential maximum impact of the vulnerability.

Affected Software

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Antimalware SoftwareMicrosoft Malware Protection Engine Vulnerability - CVE-2013-1346
Microsoft Forefront Client Security (x64)Important 
Remote Code Execution
Microsoft Forefront Endpoint Protection 2010 (x64)Important 
Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3 (x64)Important 
Remote Code Execution
Microsoft System Center 2012 Endpoint Protection (x64)Important 
Remote Code Execution
Microsoft System Center 2012 Endpoint Protection Service Pack 1 (x64)Important 
Remote Code Execution
Microsoft Malicious Software Removal Tool (x64)[1]Important 
Remote Code Execution
Microsoft Security Essentials (x64)Important 
Remote Code Execution
Microsoft Security Essentials Prerelease (x64)Important 
Remote Code Execution
Windows Defender for Windows 8 (x64)Important 
Remote Code Execution
Windows Defender for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (x64)Important 
Remote Code Execution
Windows Defender Offline (x64) Important 
Remote Code Execution
Windows Intune Endpoint Protection (x64)Important 
Remote Code Execution

[1]Applies only to April 2013 or earlier versions of the Microsoft Malicious Software Removal Tool.

Non-Affected Software

Antimalware Software
Does not run Malware Protection Engine
Microsoft Forefront Server Security Management Console
Microsoft Internet Security and Acceleration (ISA) Server
Does not run a vulnerable version of Malware Protection Engine
Microsoft Antigen for Exchange
Microsoft Antigen for SMTP Gateway
Microsoft System Center 2012 Endpoint Protection for Linux
Microsoft System Center 2012 Endpoint Protection for Mac
Microsoft Forefront Protection 2010 for Exchange Server
Microsoft Forefront Security for Exchange Server Service Pack 2
Microsoft Forefront Security for Office Communications Server
Microsoft Forefront Threat Management Gateway 2010
Microsoft Forefront Client Security (x86)
Microsoft Forefront Endpoint Protection 2010 (x86)
Microsoft Forefront Security for SharePoint Service Pack 3 (x86)
Microsoft Malicious Software Removal Tool (x86)
Microsoft Security Essentials (x86)
Microsoft Security Essentials Prerelease (x86)
Microsoft System Center 2012 Endpoint Protection (x86)
Microsoft System Center 2012 Endpoint Protection Service Pack 1 (x86)
Microsoft System Center 2012 Endpoint Protection for Mac Service Pack 1
Windows Defender for Windows 8 (x86)
Windows Defender for Windows RT
Windows Defender for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (x86)
Windows Defender Offline (x86) 
Windows Intune Endpoint Protection (x86)

Exploitability Index

Advisory FAQ

FAQ for Microsoft Malware Protection Engine Vulnerability - CVE-2013-1346

Suggested Actions

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Graeme Gill of Argyll CMS for working with us on the Microsoft Malware Protection Engine Vulnerability (CVE-2013-1346)

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 14, 2013): Advisory published.