Microsoft Security Advisory 3074162

Vulnerability in Microsoft Malicious Software Removal Tool Could Allow Elevation of Privilege

Published: July 14, 2015

Version: 1.0

Executive Summary

Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malicious Software Removal Tool (MSRT) is available that addresses a security vulnerability that was reported to Microsoft. The vulnerability could allow elevation of privilege if an attacker logs on to a target system and places a specially crafted dynamic link library (.dll) file in a local directory. An authenticated attacker who successfully exploited the vulnerability could elevate privileges on a target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Administrators of enterprise installations should follow their established internal processes to ensure that updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malicious Software Removal Tool, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact timeframe depends on the software used, Internet connection, and infrastructure configuration.

Advisory Details

Issue References

For more information about this issue, see the following references:

References Identification
CVE Reference CVE-2015-2418
Last version of the Microsoft Malicious Software Removal Tool affected by this vulnerability Version 5.25.
First version of the Microsoft Malicious Software Removal Tool with this vulnerability addressed Version 5.26*

*If your version of the Microsoft Malicious Software Removal Tool is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Affected Software

This advisory discusses the following software.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Antimalware Software MSRT Race Condition Vulnerability - CVE-2015-2418
Microsoft Malicious Software Removal Tool[1] (3074162) Important
Elevation of Privilege

[1]Applies only to May 2015 or earlier versions of the Microsoft Malicious Software Removal Tool.

Exploitability Index

The following table provides an exploitability assessment of the vulnerability addressed in this advisory.

How do I use this table?

Use this table to learn about the likelihood of functioning exploit code being released within 30 days of this advisory release. You should review the assessment below, in accordance with your specific configuration, in order to prioritize your deployment. For more information about what these ratings mean, and how they are determined, please see Microsoft Exploitability Index.

Vulnerability Title CVE ID Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Elevation of privilege Exploitability Assessment Key Notes
MSRT Race Condition Vulnerability CVE-2015-2418 3 - Exploitation Unlikely 3 - Exploitation Unlikely Permanent This is an elevation of privilege vulnerability.

Exploitation of this vulnerability may cause the operating system or an application to become permanently unresponsive until it is restarted manually. It may also cause an application to close or quit unexpectedly without automatically recovering.

Advisory FAQ

Is Microsoft releasing a Security Bulletin to address this vulnerability?
No. Microsoft is releasing this informational security advisory to inform customers that an update to the Microsoft Malicious Software Removal Tool addresses a security vulnerability that was reported to Microsoft.

Typically, no action is required of enterprise administrators or end users to install this update.

Why is typically no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates Microsoft antimalware software, including the Microsoft Malicious Software Removal Tool. In order to be effective in helping to protect against new and prevalent threats, antimalware software must be kept up to date and updated in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that the Microsoft Malicious Software Removal Tool is kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malicious Software Removal Tool updates, is working as expected in their environment.

How can I install the update?
Refer to the section, Suggested Actions, for details on how to install this update.

Where can I find more information about Microsoft antimalware technology?
For more information, visit the Microsoft Malware Protection Center website.

Vulnerability Information

MSRT Race Condition Vulnerability - CVE-2015-2418

An elevation of privilege vulnerability exists in the Microsoft Malicious Software Removal Tool (MSRT) when it fails to properly handle a race condition involving a DLL-planting scenario. An authenticated attacker who successfully exploited this vulnerability could elevate privileges on a target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

To exploit the vulnerability, an attacker would have to log on to the target system and place a specially crafted dynamic link library (.dll) file in a local directory. An attacker would then have to wait for the user to run MSRT, which would in turn run the attacker’s malicious code to effectively increase privileges on the target system. The update addresses the vulnerability by correcting how MSRT handles race conditions.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Suggested Actions

  • Verify that the update is installed

    Customers should verify that the latest version of the Microsoft Malicious Software Removal Tool and definition updates are being actively downloaded and installed for their Microsoft antimalware products.

    For more information on how to verify the version number for the Microsoft Malicious Software Removal Tool that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

    For affected software, verify that the Microsoft Malicious Software Removal Tool version is 5.26 or later.

  • If necessary, install the update

    Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malicious Software Removal Tool and definition updates are being actively downloaded, approved and deployed in their environment.

    Administrators may also obtain the update via the Microsoft Download Center (see the Affected Software table in this Advisory for a link to the relevant Download Center page).

    For end-users, the affected software provide built-in mechanisms for the automatic detection and deployment of this update. For these customers the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users who do not wish to wait can manually update their antimalware software.

    For more information on how to manually update the Microsoft Malicious Software Removal Tool and malware definitions, refer to Microsoft Knowledge Base Article 2510781.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (July 14, 2015): Advisory published.

Page generated 2015-07-23 9:46Z-07:00.