copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ESB-2014.0998 - [Win] Microsoft Malware Protection Engine: Denial of service - Remote with user interaction

Date: 18 June 2014

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

        Vulnerability in Microsoft Malware Protection Engine Could
                          Allow Denial of Service
                               18 June 2014


        AusCERT Security Bulletin Summary

Product:           Microsoft Malware Protection Engine
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-2779  

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory 2974294

Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of 

Published: June 17, 2014

Version: 1.0

General Information

Executive Summary

Microsoft is releasing this security advisory to inform customers that an 
update to the Microsoft Malware Protection Engine addresses a security 
vulnerability that was reported to Microsoft. The vulnerability could allow 
denial of service if the Microsoft Malware Protection Engine scans a specially
crafted file. An attacker who successfully exploited this vulnerability could
prevent the Microsoft Malware Protection Engine from monitoring affected 
systems until the specially crafted file is manually removed and the service 
is restarted.

The Microsoft Malware Protection Engine ships with several Microsoft 
antimalware products. See the Affected Software section for a list of affected
products. Updates to the Microsoft Malware Protection Engine are installed 
along with the updated malware definitions for the affected products. 
Administrators of enterprise installations should follow their established 
internal processes to ensure that the definition and engine updates are 
approved in their update management software, and that clients consume the 
updates accordingly.

Typically, no action is required of enterprise administrators or end users to
install updates for the Microsoft Malware Protection Engine, because the 
built-in mechanism for the automatic detection and deployment of updates will
apply the update within 48 hours of release. The exact time frame depends on 
the software used, Internet connection, and infrastructure configuration.

References				Identification

CVE Reference				CVE-2014-2779

Microsoft Knowledge Base Article	2974294

Last version of the Microsoft Malware 
Protection Engine affected by this 
vulnerability				Version 1.1.10600.0

First version of the Microsoft Malware 
Protection Engine with this 
vulnerability addressed			Version 1.1.10701.0*

*If your version of the Microsoft Malware Protection Engine is equal to or 
greater than this version, then you are not affected by this vulnerability 
and do not need to take any further action. For more information on how to 
verify the engine version number that your software is currently using, see
the section, "Verifying Update Installation", in Microsoft Knowledge Base
Article 2510781.

Affected Software

Microsoft Forefront Client Security
Microsoft Forefront Endpoint Protection 2010
Microsoft Forefront Security for SharePoint Service Pack 3
Microsoft System Center 2012 Endpoint Protection
Microsoft System Center 2012 Endpoint Protection Service Pack 1
Microsoft Malicious Software Removal Tool[1]
Microsoft Security Essentials
Microsoft Security Essentials Prerelease
Windows Defender for Windows 8, Windows 8.1, Windows Server 2012, and Windows 
  Server 2012 R2
Windows Defender for Windows RT and Windows RT 8.1
Windows Defender for Windows XP, Windows Server 2003, Windows Vista, Windows 
  Server 2008, Windows 7, and Windows Server 2008 R2
Windows Defender Offline 
Windows Intune Endpoint Protection

[1]Applies only to May 2014 or earlier versions of the Microsoft Malicious 
Software Removal Tool.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.