lolloj - Fotolia
A remote code execution vulnerability in Microsoft's Windows Defender antivirus tool allowed remote attackers to take over a system by sending an email or message that was automatically scanned by the malware protection tool. How does this vulnerability work?
Many antivirus tools have been around since before Windows 95 and, as a result, may have significant legacy code bases. Much of the functionality of antivirus software hasn't changed significantly in many years.
An antivirus program needs to be able to scan potentially malicious files and analyze them without actually infecting the endpoint. To do this, antivirus programs need to be able to parse many different file, compression and encoding formats, and often this is done by adding new subroutines or plug-ins to the main file scanning functionality.
Antivirus programs typically have similar functionality between versions running on a server and those running on an endpoint. The programs may also have sandboxing functionality, self-defense functionality or functionality to run parts of the antivirus program with the least privileges in case there is an issue to limit the impact of a potential vulnerability.
A code execution vulnerability in Windows Defender antivirus, identified by Tavis Ormandy as part of his personal mission to improve the state of antivirus software, allowed a remote attacker to take over a system by sending an email or message to be automatically scanned by the malware protection tool.
Find out why sandboxing technology is key to malware detection
Learn the basics of using PowerShell for Linux
Read about securing endpoint devices by preventing code execution
Dig Deeper on Endpoint protection and client security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.