Microsoft Malware Protection Engine PDF File Parsing Remote Code Execution
2007-02-13T16:03:53
ID OSVDB:31888 Type osvdb Reporter Alex Wheeler(advisories@hustlelabs.com), Neel Mehta() Modified 2007-02-13T16:03:53
Description
Vulnerability Description
A local overflow exists in Malware Protection Engine. mpengine.dll fails to validate PDF files resulting in an integer overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Solution Description
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.
Short Description
A local overflow exists in Malware Protection Engine. mpengine.dll fails to validate PDF files resulting in an integer overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.
{"href": "https://vulners.com/osvdb/OSVDB:31888", "id": "OSVDB:31888", "reporter": "Alex Wheeler(advisories@hustlelabs.com), Neel Mehta()", "published": "2007-02-13T16:03:53", "description": "## Vulnerability Description\nA local overflow exists in Malware Protection Engine. mpengine.dll fails to validate PDF files resulting in an integer overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nA local overflow exists in Malware Protection Engine. mpengine.dll fails to validate PDF files resulting in an integer overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.microsoft.com\n[Vendor Specific Advisory URL](http://www.microsoft.com/technet/security/Bulletin/MS07-010.mspx)\nSecurity Tracker: 1017636\n[Secunia Advisory ID:24146](https://secuniaresearch.flexerasoftware.com/advisories/24146/)\nMicrosoft Security Bulletin: MS07-010\nMicrosoft Knowledge Base Article: 932135\nFrSIRT Advisory: ADV-2007-0579\n[CVE-2006-5270](https://vulners.com/cve/CVE-2006-5270)\nBugtraq ID: 22479\n", "title": "Microsoft Malware Protection Engine PDF File Parsing Remote Code Execution", "lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "references": [], "edition": 1, "cvelist": ["CVE-2006-5270"], "affectedSoftware": [{"name": "Antigen for Exchange", "operator": "eq", "version": "9.x"}, {"name": "Windows Defender in Windows Vista", "operator": "eq", "version": "Unspecified"}, {"name": "Antigen for SMTP Gateway", "operator": "eq", "version": "9.x"}, {"name": "Windows Defender x64", "operator": "eq", "version": "Unspecified"}, {"name": "Live OneCare", "operator": "eq", "version": "Unspecified"}, {"name": "Windows Defender", "operator": "eq", "version": "Unspecified"}, {"name": "Forefront Security for Sharepoint", "operator": "eq", "version": "Unspecified"}, {"name": "Forefront Security for Exchange Server", "operator": "eq", "version": "Unspecified"}], "viewCount": 3, "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2017-04-28T13:20:28", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5270"]}, {"type": "cert", "idList": ["VU:511577"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16057", "SECURITYVULNS:VULN:7228"]}, {"type": "nessus", "idList": ["SMB_NT_MS07-010.NASL"]}], "modified": "2017-04-28T13:20:28", "rev": 2}, "vulnersScore": 7.8}, "modified": "2007-02-13T16:03:53", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:27:24", "description": "Integer overflow in the Microsoft Malware Protection Engine (mpengine.dll), as used by Windows Live OneCare, Antigen, Defender, and Forefront Security, allows user-assisted remote attackers to execute arbitrary code via a crafted PDF file.", "edition": 4, "cvss3": {}, "published": "2007-02-13T20:28:00", "title": "CVE-2006-5270", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-5270"], "modified": "2018-10-12T21:41:00", "cpe": ["cpe:/a:microsoft:malware_protection_engine:*", "cpe:/a:microsoft:windows_defender:*", "cpe:/a:microsoft:antigen:*", "cpe:/a:microsoft:windows_live_onecare:*", "cpe:/a:microsoft:forefront_security:*"], "id": "CVE-2006-5270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5270", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:antigen:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_live_onecare:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:malware_protection_engine:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:forefront_security:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_defender:*:*:*:*:*:*:*:*"]}], "cert": [{"lastseen": "2020-09-18T20:42:50", "bulletinFamily": "info", "cvelist": ["CVE-2006-5270"], "description": "### Overview \n\nA vulnerability in the way Microsoft Malware Protection Engine processes PDF files may lead to execution of arbitrary code.\n\n### Description \n\nMicrosoft Malware Protection Engine contains a vulnerability that could be exploited when it attempts to process specially crafted PDF files. According to Microsoft Security Bulletin MS07-010, an integer overflow vulnerability exists in the way that the Microsoft Malware Protection Engine processes Portable Document Format (PDF) files. An attacker with the ability to supply a specially crafted PDF file could exploit this vulnerability.\n\nNote that according to Microsoft the Malware Protection Engine is a coponent of the following:\n\n * Windows Live OneCare\n * Microsoft Antigen for Exchange 9.x\n * Microsoft Antigen for SMTP Gateway 9.x\n * Microsoft Windows Defender\n * Microsoft Windows Defender x64 Edition\n * Microsoft Windows Defender in Windows Vista\n * Microsoft Forefront Security for Exchange Server\n * Microsoft Forefront Security for SharePoint \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. \n \n--- \n \n### Solution \n\n**Update**Microsoft has released an update to address this issue. See Microsoft Security Bulletin [MS07-010](<http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx>) for more details. \n \n--- \n \n### Vendor Information\n\n511577\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: February 20, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to Microsoft Security Bulletin [MS07-010](<http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23511577 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx>\n * <http://secunia.com/advisories/24146/>\n * <http://securitytracker.com/alerts/2007/Feb/1017636.html>\n * <http://www.securityfocus.com/bid/22479>\n\n### Acknowledgements\n\nThis vulnerability was reported in Microsoft Security Bulletin ms07-10. Microsoft credits Neel Mehta and Alex Wheeler of ISS X-Force for reporting this issue.\n\nThis document was written by Chris Taschner.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-5270](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-5270>) \n---|--- \n**Severity Metric:** | 25.65 \n**Date Public:** | 2007-02-13 \n**Date First Published:** | 2007-02-20 \n**Date Last Updated: ** | 2007-02-23 13:53 UTC \n**Document Revision: ** | 15 \n", "modified": "2007-02-23T13:53:00", "published": "2007-02-20T00:00:00", "id": "VU:511577", "href": "https://www.kb.cert.org/vuls/id/511577", "type": "cert", "title": "Microsoft Malware Protection Engine fails to properly process a specially crafted PDF File", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-5270"], "description": "Integer overflow on PDF files parsing.", "edition": 1, "modified": "2007-02-13T00:00:00", "published": "2007-02-13T00:00:00", "id": "SECURITYVULNS:VULN:7228", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7228", "title": "Microsoft Malware Protection integer overflow", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "cvelist": ["CVE-2006-5270"], "description": "Microsoft Security Bulletin MS07-010\r\nVulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)\r\nPublished: February 13, 2007\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Malware Protection Engine\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should immediately ensure that they have the latest Microsoft Malware Protection Engine update\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nWindows Live OneCare\r\n\u2022\t\r\n\r\nMicrosoft Antigen for Exchange 9.x\r\n\u2022\t\r\n\r\nMicrosoft Antigen for SMTP Gateway 9.x\r\n\u2022\t\r\n\r\nMicrosoft Windows Defender\r\n\u2022\t\r\n\r\nMicrosoft Windows Defender x64 Edition\r\n\u2022\t\r\n\r\nMicrosoft Windows Defender in Windows Vista\r\n\u2022\t\r\n\r\nMicrosoft Forefront Security for Exchange Server\r\n\u2022\t\r\n\r\nMicrosoft Forefront Security for SharePoint\r\n\r\nAffected Components:\r\n\u2022\t\r\n\r\nMicrosoft Malware Protection Engine\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly discovered, privately reported vulnerability in the Microsoft Malware Protection Engine. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.\r\n\r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWe recommend that customers should immediately ensure that they have the latest Microsoft Malware Protection Engine update.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows Live OneCare\tMicrosoft Antigen for Exchange 9.x \tMicrosoft Antigen for SMTP Gateway 9.x\tMicrosoft Windows Defender\tMicrosoft Windows Defender x64\tMicrosoft Windows Defender in Windows Vista\tMicrosoft Forefront Security for Exchange Server \tMicrosoft Forefront Security for SharePoint\r\n\r\nMicrosoft Malware Protection Engine Vulnerability - CVE-2006-5270\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nAre my Microsoft products that use the Microsoft Malware Protection Engine automatically updated?\r\n\r\nThe following table provides the deployment methods for this security update.\r\nProduct\tAutomatically Updated\tEngine Version Number\r\n\r\nWindows Live OneCare\r\n\t\r\n\r\nYes (Windows Live OneCare AutoUpdate)\r\n\t\r\n\r\n1.1.2101.0\r\n\r\nMicrosoft Antigen for Exchange 9.x\r\n\t\r\n\r\nYes (Forefront Server security update service)\r\n\t\r\n\r\n0.1.8.53\r\n\r\nMicrosoft Antigen for SMTP Gateway 9.x\r\n\t\r\n\r\nYes (Forefront Server security update service)\r\n\t\r\n\r\n0.1.8.53\r\n\r\nMicrosoft Windows Defender\r\n\t\r\n\r\nYes (Microsoft Update)\r\n\t\r\n\r\n1.1.2101.0\r\n\r\nMicrosoft Windows Defender in Windows Vista\r\n\t\r\n\r\nYes (Microsoft Update)\r\n\t\r\n\r\n1.1.2101.0\r\n\r\nMicrosoft Windows Defender x64 Edition\r\n\t\r\n\r\nYes (Microsoft Update)\r\n\t\r\n\r\n1.1.2101.0\r\n\r\nMicrosoft Forefront Security for Exchange Server\r\n\t\r\n\r\nYes (Forefront Server security update service)\r\n\t\r\n\r\n0.1.8.53\r\n\r\nMicrosoft Forefront Security for SharePoint\r\n\t\r\n\r\nYes (Forefront Server security update service)\r\n\t\r\n\r\n0.1.8.53\r\n\r\nNote If your engine version is equal to or greater than the above listed Engine Version Number, then you are not affected by this vulnerability and do not need to take any further action.\r\n\r\nNote Users who have disabled AutoUpdate or Microsoft Update for their Microsoft Antivirus client software will need to either re-enable AutoUpdate or update the Microsoft Antivirus client software manually to receive the updated Microsoft Malware Protection engine. To update the Microsoft Antivirus client software manually, users should follow the product documentation provided with the affected software.\r\n\r\nNote For Microsoft Antigen and Microsoft Forefront, the Microsoft engine is automatically updated. For systems that have been altered from the default installation, manual engine updates can be performed through the administrator tool. If the engine had been disabled, it can be re-enabled and then updated immediately by clicking \u201cupdate now\u201d. For customers that update engines using Microsoft Antigen Enterprise Manager, users should select Engine Update Redistribution Job and click Run Now.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nMicrosoft Malware Protection Engine Vulnerability - CVE-2006-5270:\r\n\r\nA remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.\r\n\t\r\nMitigating Factors for Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:\r\n\r\nWe have not identified any mitigating factors for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:\r\n\u2022\t\r\n\r\nMicrosoft Forefront Security for Exchange Server, Microsoft Forefront Security for SharePoint, and Microsoft Antigen supports multiple engines in addition to the Microsoft Malware Protection Engine on a single system. If multiple engines are available on an affected system, administrators can disable the Microsoft Malware Protection Engine as a workaround, until the Microsoft Malware Protection Engine can be updated. Before disabling the Microsoft Malware Protection Engine, administrators should ensure they have installed the latest virus signatures for any third party engine.\r\n\u2022\t\r\n\r\nWe have not identified any workarounds for Windows Live OneCare and Microsoft Windows Defender.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:\r\n\r\nWhat is the scope of the vulnerability?\r\nA remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF file that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.\r\n\r\nWhat causes the vulnerability?\r\nAn integer overflow in the Microsoft Malware Protection Engine when processing a specially crafted PDF file.\r\n\r\nWhat is the Microsoft Malware Protection Engine?\r\nThe Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection and cleaning capabilities for the following antivirus and antispyware clients: Windows Live OneCare, Microsoft Forefront Security, Microsoft Antigen, and Windows Defender.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could cause remote code execution and take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted PDF to an affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could try to exploit the vulnerability by creating a specially crafted PDF attachment and forcing an affected system to process the PDF. When Microsoft Malware Protection Engine on the target machine automatically scans the PDF, the PDF could then cause the affected system to execute arbitrary code.\r\n\r\nFinally, an attacker could also make a specially crafted PDF available on a Web site. An attacker would have no way to force users to visit a particular Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAny Microsoft Antivirus client that uses the Microsoft Malware Protection Engine and whose filters are configured to allow PDF file processing is at risk.\r\n\r\nWhat does the update do?\r\nThe update removes the integer overflow vulnerability by modifying the way that the Microsoft Malware Protection Engine validates the length of data in the PDF before passing the data to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSecurity Update Information\r\n\r\nAffected Software:\r\n\r\nFor information about the specific security update for your affected software, click the appropriate link:\r\n\t\r\nWindows Live OneCare\r\n\r\nPrerequisites\r\nThis security update requires Windows Live OneCare.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\r\n\r\nFor more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled when using Windows Live OneCare on Windows XP.\r\n\r\nThis update can be uninstalled when using Windows Live OneCare in Windows Vista.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that the update has been applied to an affected system, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Help, then click About Windows Live OneCare.\r\n\r\n2.\r\n\t\r\n\r\nCheck the version number. If the Virus and spyware definition version reads 1.1.2101.0 or above, the update has been successfully installed.\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Antigen for Exchange 9.x\r\n\r\nPrerequisites\r\nThis security update requires Microsoft Antigen for Exchange 9.x.\r\n\r\nRestart Requirement\r\n\r\nThis update is automatic and does not require a restart.\r\n\r\nForefront Server security update service automatically updates the Microsoft Antivirus engine in Microsoft Antigen for Exchange Server. However, on computer systems running Microsoft Antigen where users have disabled the Microsoft Antivirus engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking \u201cupdate now\u201d.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that the update has been applied to an affected system, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Antigen Administrator, click Scanner Updates and then click Microsoft Antivirus.\r\n\r\n2.\r\n\t\r\n\r\nCheck the version number. If the Microsoft Antivirus engine build number reads 0.1.8.53 or above, the update has been successfully installed.\r\n\r\nFor instructions on configuring Microsoft Antigen engines, visit the following Microsoft Web site.\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Antigen for SMTP Gateway 9.x\r\n\r\nPrerequisites\r\nThis security update requires Microsoft Antigen for SMTP Gateway 9.x.\r\n\r\nRestart Requirement\r\n\r\nThis update is automatic and does not require a restart.\r\n\r\nForefront Server security update service automatically updates the Microsoft Antivirus engine in Microsoft Antigen for SMTP Gateway. However, on computer systems running Microsoft Antigen where users have disabled the Microsoft Antivirus engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking \u201cupdate now\u201d.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that the update has been applied to an affected system, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Antigen Administrator, click Scanner Updates and then click Microsoft Antivirus.\r\n\r\n2.\r\n\t\r\n\r\nCheck the version number. If the Microsoft Antivirus engine build number reads 0.1.8.53 or above, the update has been successfully installed.\r\n\r\nFor instructions on configuring Microsoft Antigen engines, visit the following Microsoft Web site.\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Windows Defender and Windows Defender in Windows Vista\r\n\r\nPrerequisites\r\nThis security update requires Windows Defender.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\r\n\r\nFor more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled from Windows XP, or Windows Server 2003.\r\n\r\nThis update can be uninstalled from Windows Vista.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that the update has been applied to an affected system, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Help, then click About Windows Defender.\r\n\r\n2.\r\n\t\r\n\r\nCheck the version number. If the Microsoft Antivirus engine build number reads 1.1.2101.0 or above, the update has been successfully installed.\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Forefront Security for Exchange Server\r\n\r\nPrerequisites\r\nThis security update requires Forefront Security for Exchange Server.\r\n\r\nRestart Requirement\r\n\r\nThis update is automatic does not require a restart.\r\n\r\nForefront Server security update service automatically updates the Microsoft Antimalware Engine in Forefront Security for Exchange Server. However, on computer systems running Forefront Security for Exchange Server where users have disabled the Microsoft Antimalware Engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking \u201cupdate now\u201d.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that the update has been applied to an affected system, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Forefront Administrator, click Scanner Updates and then click Antimalware Engine.\r\n\r\n2.\r\n\t\r\n\r\nCheck the version number. If the Microsoft Antimalware Engine build number reads 0.1.8.53 or above, the update has been successfully installed.\r\n\r\nFor instructions on configuring Forefront Server Security for Exchange Server engines, visit the following Microsoft Web site.\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Forefront Security for SharePoint\r\n\r\nPrerequisites\r\nThis security update requires Forefront Security for SharePoint.\r\n\r\nRestart Requirement\r\n\r\nThis update is automatic and does not require a restart.\r\n\r\nForefront Server security update service automatically updates the Microsoft Antimalware Engine in Forefront Security for SharePoint. However, on computer systems running Forefront Security for SharePoint where users have disabled the Microsoft Antimalware Engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking \u201cupdate now\u201d.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that the update has been applied to an affected system, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Forefront Administrator, click Scanner Updates and then click Microsoft Antimalware Engine.\r\n\r\n2.\r\n\t\r\n\r\nCheck the version number. If the Microsoft Antimalware Engine build number reads 0.1.8.53 or above, the update has been successfully installed.\r\n\r\nFor instructions on configuring Forefront Server Security for SharePoint engines, visit the following Microsoft Web site.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nNeel Mehta and Alex Wheeler of ISS X-Force for reporting the Microsoft Antivirus Engine Vulnerability (CVE-2006-5270).\r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available at the following locations:\r\n\u2022\t\r\n\r\nSecurity updates are available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."\r\n\u2022\t\r\n\r\nUpdates for consumer platforms are available at the Microsoft Update Web site.\r\n\r\nSupport:\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nSecurity Resources:\r\n\u2022\t\r\n\r\nThe Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n\u2022\t\r\n\r\nTechNet Update Management Center\r\n\u2022\t\r\n\r\nMicrosoft Software Update Services\r\n\u2022\t\r\n\r\nMicrosoft Windows Server Update Services\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer (MBSA)\r\n\u2022\t\r\n\r\nWindows Update\r\n\u2022\t\r\n\r\nMicrosoft Update\r\n\u2022\t\r\n\r\nWindows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n\u2022\t\r\n\r\nOffice Update \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nWindows Server Update Services:\r\n\r\nBy using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.\r\n\r\nFor more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server (SMS) delivers a highly configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scan Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (February 13, 2007): Bulletin published.", "edition": 1, "modified": "2007-02-13T00:00:00", "published": "2007-02-13T00:00:00", "id": "SECURITYVULNS:DOC:16057", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16057", "title": "Microsoft Security Bulletin MS07-010 Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-04-01T06:15:36", "description": "The remote host is running a version of Windows Malware Protection\nengine that is vulnerable to a bug in the PDF file handling routine\nthat could allow an attacker execute arbitrary code on the remote host\nby sending a specially crafted file.", "edition": 28, "published": "2007-02-13T00:00:00", "title": "MS07-010: Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5270"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:microsoft:forefront_security", "cpe:/a:microsoft:antigen", "cpe:/a:microsoft:malware_protection_engine", "cpe:/a:microsoft:windows_defender", "cpe:/a:microsoft:windows_live_onecare"], "id": "SMB_NT_MS07-010.NASL", "href": "https://www.tenable.com/plugins/nessus/24334", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24334);\n script_version(\"1.29\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2006-5270\");\n script_bugtraq_id(22479);\n script_xref(name:\"MSFT\", value:\"MS07-010\");\n script_xref(name:\"MSKB\", value:\"932135\");\n \n script_xref(name:\"CERT\", value:\"511577\");\n\n script_name(english:\"MS07-010: Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)\");\n script_summary(english:\"Determines the version of Malware Protection Engine\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the\nAntiMalware program.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Windows Malware Protection\nengine that is vulnerable to a bug in the PDF file handling routine\nthat could allow an attacker execute arbitrary code on the remote host\nby sending a specially crafted file.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-010\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Defender and Live\nOneCare.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/02/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:antigen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:forefront_security\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:malware_protection_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_live_onecare\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\n\n\ninclude(\"misc_func.inc\");\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-010';\nkbs = make_list(\"932135\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nlogin\t= kb_smb_login();\npass \t= kb_smb_password();\ndomain \t= kb_smb_domain();\nport = kb_smb_transport();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\nr = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (r != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL,\"IPC$\");\n}\n\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\nkeys = make_list (\n\t\"SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\",\n\t\"SOFTWARE\\Microsoft\\OneCare Protection\\Signature Updates\"\n\t);\n\nforeach key (keys)\n{\n value = NULL;\n item = \"EngineVersion\";\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n value = RegQueryValue(handle:key_h, item:item);\n RegCloseKey(handle:key_h);\n }\n\n if (!isnull(value))\n {\n v = split(value[1], sep:\".\", keep:FALSE);\n\n if ( ( (int(v[0]) == 1) && (int(v[1]) < 1) ) ||\n ( (int(v[0]) == 1) && (int(v[1]) == 1) && (int(v[2]) < 2101) ) )\n {\n {\n set_kb_item(name:\"SMB/Missing/MS07-010\", value:TRUE);\n info =\n '\\n Installed version : ' + value[1] +\n '\\n Fixed version : 1.1.2101.0\\n';\n hotfix_add_report(info, bulletin:\"MS07-010\", kb:\"932135\");\n hotfix_security_hole();\n }\n break;\n }\n }\n}\n\n\nRegCloseKey(handle:hklm);\nNetUseDel();\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
