Skip to content


So the above Tweet came along, but the way it was framed it was not very worthy reporting, because it was nothing actionable: »I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.«

And reported and handled it was, in record time. This is now public on Project Zero, and a fix is being rolled out to all current Windows.

Somewhere, someone is crying, because this the the perfect, stable, universal, remotely exploitable Windows Exploit and they have probably paid millions for this – and now it is worthless and burnt.

NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.
That’s reading like a Fefe rant on “protection snake oil is actually increasing the attack surface of the very systems you want to protect”.
How universal is it?
On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it’s own content identification system.
And as if that isn’t bad enough, there is this:
As mpengine will unpack arbitrarily deeply nested archives and supports many obscure and esoteric archive formats (such as Amiga ZOO and MagicISO UIF), there is no practical way to identify an exploit at the network level, and administrators should patch as soon as is practically possible.
Yes, it goes to great lengths to actually find and execute the payload, no matter how you wrap it and send it.
And the PoC is small enough to tweet it:
Some people didn’t like that Tweet. @natashenka responded:

If a tweet is causing panic or confusion in your organization, the problem isn’t the tweet, the problem is your organization.


Published inHackerterrorcybercyber

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *