Just in case IT professionals needed more proof that antivirus software flaws can be some of the more dangerous...
around: The latest Windows Defender bug, which could allow full-system takeovers, was discovered Monday.
Tavis Ormandy, security researcher for Google's Project Zero team, said he "took a quick stab at writing a fuzzer" for Windows Defender and immediately found the memory corruption vulnerability. Microsoft described the Windows Defender bug as a remote code execution vulnerability caused by the Microsoft Malware Protection Engine not properly scanning a malicious file.
"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft wrote in an advisory. "To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine."
According to Microsoft, there are a number of ways the Windows Defender bug could be exploited, depending on how the malicious file was delivered to a location that would be scanned by the Microsoft Malware Protection Engine.
"This is a very powerful exploit primitive, and exploitation does not seem difficult," Ormandy said in his disclosure.
Simon Zerafa, a professional IT technician, said the capability of a malicious portable executable (PE) file to exploit this Windows Defender bug is very dangerous.
So if you can make anything which is downloaded via any process look like a PE file then you could get System level execution. Marvelous! 🙁— Simon Zerafa (@SimonZerafa) June 23, 2017
Microsoft pushed an automatic update with the Malware Protection Engine version 1.1.13903.0 to Windows 7, Windows 8.1, Windows 10 and Windows Server 2008.
Other antivirus bugs
This Windows Defender bug is another in an increasingly long line of vulnerabilities in antivirus programs, many of which have been found by Google's Project Zero team.
In May 2017, Microsoft released an out-of-band patch to remediate a Windows Defender bug found by Ormandy and fellow Project Zero researcher Natalie Silvanovich. And, at the time, Ormandy said vulnerabilities in the Microsoft Malware Protection Engine "are among the most severe possible in Windows, due to the privilege, accessibility and ubiquity of the service."
Going back to 2015, Ormandy has found multiple vulnerabilities in Kaspersky Lab antivirus products and Symantec's Norton antivirus software. In regard to one of the antivirus bugs he found in Norton antivirus software, Ormandy said it was "about as bad as it can possibly get," because it required no user interaction and the antivirus scan engine was loaded into the system kernel.
Learn what vulnerabilities in antivirus tools can mean for enterprise.
Find out if Windows Defender Advanced Threat Protection has improved.
Get info on how Windows Defender Offline protects endpoints.