Microsoft has closed a vulnerability that had been present in the antivirus software Microsoft Defender for 12 years. As far as is known, the bug was not actively exploited.
The vulnerability was discovered by the security company SentinelOne. The problem was in a driver that Microsoft Defender uses to remove detected threats. When this driver deletes a file, it replaces it with another file as a temporary placeholder. However, SentinelOne researchers found out that Defender does not verify this new file. An attacker can get Defender to overwrite the wrong file or even run malicious code by creating a system link.
Defender trusted by Windows computers
Precisely because Defender is Microsoft software and is installed by default on almost all Windows computers, an attacker could deal a lot of damage with the vulnerability. Furthermore, Defender has many rights within Windows to do its job properly as antivirus software. Malicious parties can use the vulnerability to escalate a program’s privileges and gain administrator rights with it, writes ArsTechnica.
Incidentally, the vulnerability cannot be used to take over a remote computer. To exploit the vulnerability, the attacker must already have some form of access to the computer, be it physical or remote. However, it can be an important tool in an attacker’s toolbox to gain administrator privileges on a hacked computer.
Microsoft classified the vulnerability as “high risk” and fixed it with an update. This patch was part of Patch Tuesday on 9 February. SentinelOne deliberately did not publish the vulnerability details, so attackers could not take advantage of users who had not yet updated their computers.
Microsoft closed several vulnerabilities during Patch Tuesday. Although the vulnerability in Defender was not actively exploited, this was the case with CVE-2021-1732. This is a bug in Win32k that made it possible to elevate privileges. This zero-day was used to attack targets in Pakistan and China, according to the Chinese security company DBAPPSecurity.