Microsoft Patches Critical Vulnerability In Its Own Antivirus Software


Microsoft has confirmed that a critical vulnerability in its Windows Defender antivirus software puts Windows computers at serious risk. Windows Defender could inadvertently install malware while scanning a PC for unwanted files. Microsoft has already released a patch for the problem.

The flaw was discovered by Google cybersecurity researchers Tavis Ormandy and Natalie Silvanovich. Both are members of Google’s Project Zero team, a group that has found several holes in Microsoft products in recent months.

The latest issue is the most critical to date. Described by Ormandy as “crazy bad” and one of the worst remote code execution attacks “in recent memory,” the vulnerability lets attackers hijack Windows Defender to install malware on a target system.

Ormandy discovered the problem inside Microsoft’s Malware Protection Engine, the underlying technology that powers Windows Defender’s scanning mechanisms. The flaw he found could allow code inside a specially crafted file to be executed when it is scanned by the Malware Protection Engine.

Ars Technica explains that the issue lies inside a part of Defender that’s responsible for analysing files that look like JavaScript code. The process that handles this behavior runs at one of the highest possible privilege levels but isn’t protected by a sandbox, leaving it vulnerable to attack. The researchers discovered that just two lines of JavaScript will break through the sandbox, handing control of the system to the foreign code.

In trying to remove malware from the machine, Windows Defender could give it a foothold into the system. From its initial entry point, the attacking software could gain control of the PC and establish communications with its creator. There’s the potential for a worm to be developed from the initial infection as the target PC could distribute the attack around its network.

A person is typing on a laptop keyboard with code on the screen
[Image by Yurich84/Thinkstock]Featured image credit: Yurich84Thinkstock

The vulnerability is particularly potent because of Windows Defender’s nature as an always-on antivirus utility. On most Windows machines, Defender is set to automatically scan new files to check they don’t contain malware. This means that files downloaded to your PC in the background – such as email attachments and parts of webpages – are scanned as they arrive. A specially crafted email could use the flaw to attack your device even if you don’t read the message.

Microsoft has confirmed the existence of the problem and has developed a patch that closes the hole. Addressing the discovery in a security advisory this week, Microsoft confirmed that successful exploitation would see the attacker “take control of the system.”

“The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file,” Microsoft said. “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.”

Hands typing on a laptop keyboard with blurred email icons coming out of the screen
[Image by oatawa/Thinkstock]Featured image credit: oatawaThinkstock

Microsoft has been commended for its response to the disclosure. Ormandy sent details of the issue to Microsoft on Friday evening. After initially expecting to wait weeks for a patch to be developed, Microsoft surprised cybersecurity experts by releasing an update late on Monday evening.

Microsoft said the current risk to Windows users is relatively low because the patch will be automatically installed within the next couple of days. Assuming an internet connection is available, the Microsoft Malware Protection Engine will automatically update itself within 48 hours of a new release being made available.

You can check whether your device is protected by heading to Windows 10’s Settings app, clicking “Update & security,” and checking the “Engine version” line under “Windows Defender.” If you have version 1.1.13704.0, you’ve already got the update. If it hasn’t arrived yet, you can manually install it by pressing “Check for updates” in Windows Update. If you have a computer running Windows 7 or 8, you can check your Windows Defender version by opening the app from the Start Menu.

[Featured Image by scyther5/Thinkstock]