A Windows Defender Flaw Lurked Undetected for 12 Years
Just because a vulnerability is old doesn’t mean it’s not useful. Whether it’s Adobe Flash hacking or the EternalBlue exploit for Windows, some methods are just too good for attackers to abandon, even if they’re years past their prime. But a critical 12-year-old bug in Microsoft’s ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don’t try to make up for lost time.
The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.
Windows Defender would be endlessly useful to attackers for such a manipulation, because it ships with Windows by default and is therefore present in hundreds of millions of computers and servers around the world. The antivirus program is also highly trusted within the operating system, and the vulnerable driver is cryptographically signed by Microsoft to prove its legitimacy. In practice, an attacker exploiting the flaw could delete crucial software or data, or even direct the driver to run their own code to take over the device.
“This bug allows privilege escalation,” says Kasif Dekel, senior security researcher at SentinelOne. “Software that’s running under low privileges can elevate to administrative privileges and compromise the machine.”
SentinelOne first reported the bug to Microsoft in mid-November, and the company released a patch on Tuesday. Microsoft rated the vulnerability as a “high” risk, though there are important caveats. The vulnerability can only be exploited when an attacker already has access—remote or physical—to a target device. This means it isn’t a one-stop shop for hackers and would need to be deployed alongside other exploits in most attack scenarios. But it would still be an appealing target for hackers who already have that access. An attacker could take advantage of having compromised any Windows machine to bore deeper into a network or victim’s device without having to first gain access to privileged user accounts, like those of administrators.
SentinelOne and Microsoft agree there is no evidence that the flaw was discovered and exploited prior to the researchers’ analysis. And SentinelOne is withholding specifics on how the attackers could leverage the flaw to give Microsoft’s patch time to proliferate. Now that the findings are public, though, it’s only a matter of time before bad actors figure out how to take advantage. A Microsoft spokesperson noted that anyone who installed the February 9 patch, or has auto-updates enabled, is now protected.
In the world of mainstream operating systems, a dozen years is a long time for a bad vulnerability to hide. And the researchers say that it may have been present in Windows for even longer, but their investigation was limited by how long the security tool VirusTotal stores information on antivirus products. In 2009, Windows Vista was replaced by Windows 7 as the current Microsoft release.
The researchers hypothesize that the bug stayed hidden for so long because the vulnerable driver isn’t stored on a computer’s hard drive full-time, like your printer drivers are. Instead, it sits in a Windows system called a “dynamic-link library,” and Windows Defender only loads it when needed. Once the driver is done working, it gets wiped from the disk again.