News Stay informed about the latest enterprise technology news and product updates.

Windows Defender bug could allow full-system takeover

A newly disclosed Windows Defender bug, which could allow an attacker to fully take over a target system and create admin accounts, marks yet another major antivirus vulnerability.

Just in case IT professionals needed more proof that antivirus software flaws can be some of the more dangerous...

around: The latest Windows Defender bug, which could allow full-system takeovers, was discovered Monday.

Tavis Ormandy, security researcher for Google's Project Zero team, said he "took a quick stab at writing a fuzzer" for Windows Defender and immediately found the memory corruption vulnerability. Microsoft described the Windows Defender bug as a remote code execution vulnerability caused by the Microsoft Malware Protection Engine not properly scanning a malicious file.

"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft wrote in an advisory. "To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine."

According to Microsoft, there are a number of ways the Windows Defender bug could be exploited, depending on how the malicious file was delivered to a location that would be scanned by the Microsoft Malware Protection Engine.

"This is a very powerful exploit primitive, and exploitation does not seem difficult," Ormandy said in his disclosure.

Simon Zerafa, a professional IT technician, said the capability of a malicious portable executable (PE) file to exploit this Windows Defender bug is very dangerous.

Microsoft pushed an automatic update with the Malware Protection Engine version 1.1.13903.0 to Windows 7, Windows 8.1, Windows 10 and Windows Server 2008.

Other antivirus bugs

This Windows Defender bug is another in an increasingly long line of vulnerabilities in antivirus programs, many of which have been found by Google's Project Zero team.

In May 2017, Microsoft released an out-of-band patch to remediate a Windows Defender bug found by Ormandy and fellow Project Zero researcher Natalie Silvanovich. And, at the time, Ormandy said vulnerabilities in the Microsoft Malware Protection Engine "are among the most severe possible in Windows, due to the privilege, accessibility and ubiquity of the service."

Going back to 2015, Ormandy has found multiple vulnerabilities in Kaspersky Lab antivirus products and Symantec's Norton antivirus software. In regard to one of the antivirus bugs he found in Norton antivirus software, Ormandy said it was "about as bad as it can possibly get," because it required no user interaction and the antivirus scan engine was loaded into the system kernel.

Next Steps

Learn what vulnerabilities in antivirus tools can mean for enterprise.

Find out if Windows Defender Advanced Threat Protection has improved.

Get info on how Windows Defender Offline protects endpoints.

Dig Deeper on Microsoft Windows security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization rely on Windows Defender or use another antivirus solution?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close