Security News Windows Defender Antivirus Still Vulnerable to Attacks Despite Patches

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Microsoft rolled out several patches for Windows Defender in order to address vulnerabilities that could have exposed Windows users, but it turns out that the company needs to do better because the antivirus is still suffering from a number of remote code execution flaws.

A report from The Reg and citing security research James Lee reveals that the MsMpEng engine of Windows Defender is open to remote code execution due to insufficient sandboxing, a problem that some other security experts warned of in the last few months.

Google’s Tavis Ormandy, who previously discovered several major bugs in Microsoft software, also came across critical bugs in Windows Defender, and reported them to the company to have them fixed.

After patches for all these reported vulnerabilities were provided, Ormandy tweeted on June 7 to reveal that he found “more critical remote mpengine vulnerabilities,” explaining that the antivirus engine needs to be sandboxed.

Microsoft needs to focus more on sandboxing
The same problem is highlighted in today’s report as well, as James Lee has discovered two remote code execution vulnerabilities that allow a system to get hacked despite running the very latest patches released by Microsoft.

It appears that the new issues aren’t related to the ones reported by Ormandy earlier this month and in late May, describing them as “multiple denial-of-service, integer overflow, and use-after-free bugs.”

An official statement from Microsoft is not available just yet, and it’s a bit worrying that reports of vulnerabilities in Windows Defender come only a few days after this month’s Patch Tuesday when the company typically addresses security vulnerabilities in its software.

For the time being, however, details of the new RCE flaws are not public, so users are protected, though Microsoft should hurry up to deliver a fix addressing all of them. Ormandy also promised to provide a full report on the flaws he discovered in MsMpEng, so Microsoft might have a lot of work to do in order to get its antivirus engine right.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Microsoft rolled out several patches for Windows Defender in order to address vulnerabilities that could have exposed Windows users, but it turns out that the company needs to do better because the antivirus is still suffering from a number of remote code execution flaws.

A report from The Reg and citing security research James Lee reveals that the MsMpEng engine of Windows Defender is open to remote code execution due to insufficient sandboxing, a problem that some other security experts warned of in the last few months.

Google’s Tavis Ormandy, who previously discovered several major bugs in Microsoft software, also came across critical bugs in Windows Defender, and reported them to the company to have them fixed.
Thanks Exterminator :)
MS is making strides in the right direction, but it will be a year or two before I wake Defender from it's slumber.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
This is a long road, but new patches will come for sure.

Do you remember for example how to perform API hooking at kernel level on 32bit Windows systems to prevent a antimalware process from being terminated?
Now we can talk about OBR and callbacks mainly to show how to achieve the same result on 64bit systems.
AVs have to protect themself from malware trying to terminate their services and processes or inject arbitrary code into their executable address space.
Well no matter how hard you try, there’s really no 100% safe way to do this in user mode … you could try API hooking, passive monitoring.... but there is always a way to bypass a user mode protection. API hooks can be overwritten, monitoring can be eluded with obfuscation.

Working in the Windows kernel means developing a driver, that’s why Microsoft implemented a set of new API to intercept and eventually filter events and actions on object handles before they are actually executed by the kernel.

Technically it is very complex stuff, but very, very simply, a callback prevents some processes from being accessed with some privileges, so any malicious software that will try to terminate it or to call API such as (Write/Read)ProcessMemory will inevitably fail with "access denied" error!

So this is how AV and security softwares are being protected nowdays on 64bit systems from malicious termination, code injection, etc.

Is this enough!? No, but a lot of progress has been made and another will be made for sure.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Microsoft can surely derive those sandbox mechanism from IE and Edge which will make Windows Defender strong enough for possible security holes.
 
  • Like
Reactions: _CyberGhosT_

Urusen

Level 2
Verified
Aug 10, 2014
54
Defender was my easy choice. Time to pick another AV solution again...
 

Windows Defender Shill

Level 7
Verified
Well-known
Apr 28, 2017
326
Not worried

It's not in the wild

And my settings dont let non windows store apps install.

My completely uninformed guess on how this works:

This is probably executed with smart screen off and allow apps from anywhere turned on.

At which point Defender scans malicous file and it triggers Defender to run the file instead of ignoring or removing.
 
  • Like
Reactions: brod56

ispx

Level 13
Verified
Well-known
Jun 21, 2017
616
but it will be a year or two before I wake Defender from it's slumber.

two years from now the other anti-virus vendors will still be 2 years ahead of windows defender.

windows defender is like the crappy audio system you got free with your new car that you trash & replace with a pioneer or a sony.
 
  • Like
Reactions: ZeroDay

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top