MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine

Critical Nessus Plugin ID 100051


The remote host has an antimalware application installed that is affected by a remote code execution vulnerability.


The version of Microsoft Malware Protection Engine (MMPE) installed on the remote Windows host is prior to 1.1.13704.0. It is, therefore, affected by a remote code execution vulnerability in the NScript component in mpengine.dll due to a type confusion error. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to execute arbitrary code in the security context of the LocalSystem account.

Nessus has checked if a vulnerable version of MMPE is being used by any of the following applications :

- Microsoft Forefront Endpoint Protection 2010
- Microsoft Endpoint Protection
- Microsoft Forefront Security for SharePoint
- Microsoft System Center Endpoint Protection
- Microsoft Security Essentials
- Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows 10 1511, Windows 10 1607, Windows 10 1703, and Windows Server 2016
- Windows Intune Endpoint Protection


Enable automatic updates to update the scan engine for the relevant antimalware applications. Refer to KB4022344 for information on how to verify MMPE has been updated.

See Also

Plugin Details

Severity: Critical

ID: 100051

File Name: smb_kb4022344.nasl

Version: 1.9

Type: local

Agent: windows

Family: Windows

Published: 2017/05/09

Updated: 2018/11/15

Dependencies: 43164, 13855

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows, cpe:/a:microsoft:malware_protection_engine

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/05/09

Vulnerability Publication Date: 2017/05/09

Reference Information

CVE: CVE-2017-0290

BID: 98330

MSKB: 4022344