Just because a vulnerability is old does not mean that it is not useful. Whether it be Adobe Flash hacking or the Exploit EternalBlue for Windows, some methods are just too good for attackers to give up, even if they are past their prime. But a 12-year-old critical bug in Microsoft’s ubiquitous Windows Defender Antivirus has apparently been overlooked by attackers and advocates until recently. Now that Microsoft has finally fixed it, the key is to ensure that hackers don’t try to make up for lost time.
The flaw, discovered by researchers at security firm SentinelOne, manifested itself in a driver that Windows Defender, renamed Microsoft Defender last year, uses to remove invasive files and infrastructure that malware can create. When the driver deletes a malicious file, it replaces it with a new benign file as some kind of placeholder during remediation. But the researchers found that the system does not specifically check this new file. As a result, an attacker could insert critical system links that direct the driver to overwrite the wrong file or even execute malicious code.
Windows Defender would be immeasurably useful to attackers for such manipulation, as it ships with Windows by default and is therefore present in hundreds of millions of computers and servers around the world. The antivirus program is also highly reliable within the operating system, and the vulnerable driver is cryptographically signed by Microsoft to prove its legitimacy. In practice, an attacker exploiting the vulnerability could delete crucial software or data, or even ask the driver to execute his own code to take control of the device.
“This bug allows elevation of privilege,” says Kasif Dekel, senior security researcher at SentinelOne. “Software run with low privileges can become administrative privileges and compromise the machine.”
SentinelOne first reported the bug to Microsoft in mid-November, and the company released a fix on Tuesday. Microsoft has rated the vulnerability as “high”, although there are important caveats. The vulnerability can only be exploited when an attacker already has access – remote or physical – to a target device. This means that it is not a one stop shop for hackers and should be deployed alongside other exploits in most attack scenarios. But it would still be an attractive target for hackers who already have this access. An attacker could take advantage of compromising any Windows machine to dig deeper into a network or the victim’s device without first accessing privileged user accounts, such as administrators.
SentinelOne and Microsoft agree that there is no evidence that the flaw was discovered and exploited prior to the researchers’ analysis. And SentinelOne is withholding details of how attackers could take advantage of the flaw to give Microsoft’s patch time to proliferate. Now that the results are public, it’s only a matter of time before the bad actors figure out how to profit from them. A Microsoft spokesperson noted that anyone who installed the February 9 hotfix or turned on automatic updates are now protected.
In the world of consumer operating systems, a dozen years is a long time for a bad vulnerability to lurk. And researchers say it may have been around Windows for even longer, but their investigation was limited by how long the VirusTotal security tool stores information about antivirus products. In 2009, Windows Vista was replaced by Windows 7 as the current version of Microsoft.
Researchers hypothesize that the bug has been hidden for so long because the vulnerable driver is not stored full time on a computer’s hard drive, like your printer drivers are. Instead, it’s in a Windows system called a “dynamic link library” and Windows Defender only loads it when it’s needed. Once the driver has finished working, it is erased from disk again.