viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
A Windows Defender vulnerability lurked undetected for 12 years
Technology

A Windows Defender vulnerability lurked undetected for 12 years

13/02/2021

Shadowy figures stand beneath a Microsoft logo on a faux wood wall.

Just because a vulnerability is old doesn’t mean it’s not useful. Whether it’s Adobe Flash hacking or the EternalBlue exploit for Windows, some methods are just too good for attackers to abandon, even if they’re years past their prime. But a critical 12-year-old bug in Microsoft’s ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don’t try to make up for lost time.

The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.

Windows Defender would be endlessly useful to attackers for such a manipulation, because it ships with Windows by default and is therefore present in hundreds of millions of computers and servers around the world. The antivirus program is also highly trusted within the operating system, and the vulnerable driver is cryptographically signed by Microsoft to prove its legitimacy. In practice, an attacker exploiting the flaw could delete crucial software or data, or even direct the driver to run their own code to take over the device.

“This bug allows privilege escalation,” says Kasif Dekel, senior security researcher at SentinelOne. “Software that’s running under low privileges can elevate to administrative privileges and compromise the machine.”

Advertisement

SentinelOne first reported the bug to Microsoft in mid-November, and the company released a patch on Tuesday. Microsoft rated the vulnerability as a “high” risk, though there are important caveats. The vulnerability can only be exploited when an attacker already has access—remote or physical—to a target device. This means it isn’t a one-stop shop for hackers and would need to be deployed alongside other exploits in most attack scenarios. But it would still be an appealing target for hackers who already have that access. An attacker could take advantage of having compromised any Windows machine to bore deeper into a network or victim’s device without having to first gain access to privileged user accounts, like those of administrators.

SentinelOne and Microsoft agree there is no evidence that the flaw was discovered and exploited prior to the researchers’ analysis. And SentinelOne is withholding specifics on how the attackers could leverage the flaw to give Microsoft’s patch time to proliferate. Now that the findings are public, though, it’s only a matter of time before bad actors figure out how to take advantage. A Microsoft spokesperson noted that anyone who installed the February 9 patch, or has auto-updates enabled, is now protected.

An eternity

In the world of mainstream operating systems, a dozen years is a long time for a bad vulnerability to hide. And the researchers say that it may have been present in Windows for even longer, but their investigation was limited by how long the security tool VirusTotal stores information on antivirus products. In 2009, Windows Vista was replaced by Windows 7 as the current Microsoft release.

The researchers hypothesize that the bug stayed hidden for so long because the vulnerable driver isn’t stored on a computer’s hard drive full-time, like your printer drivers are. Instead, it sits in a Windows system called a “dynamic-link library,” and Windows Defender only loads it when needed. Once the driver is done working, it gets wiped from the disk again.

“Our research team noticed the driver is loaded dynamically, and then deleted when not needed, which is not a common behavior,” SentinelOne’s Dekel says. “So we looked into it. Similar vulnerabilities may exist in other products, and we hope that by disclosing this we’ll help others stay secure.”

Historic bugs crop up occasionally, from a 20-year-old Mac modem flaw to a 10-year-old zombie bug in Avaya desk phones. Developers and security researchers can’t catch everything every time. It’s even happened to Microsoft before. In July, for example, the company patched a potentially dangerous 17-year-old Windows DNS vulnerability. As with so many things in life, better late than never.

This story originally appeared on wired.com.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Snoop Dogg is in NHL 20 and his own LucidSound gaming headset
Snoop Dogg, a reggae artist, is suddenly everywhere in my …

Snoop Dogg is in NHL 20 and his own LucidSound gaming headset

Fast & Furious: Crossroads lives video games a quarter-mile at a time
TechCrunch ist Teil von Verizon Media. Klicken Sie auf ‘Ich …

Seeqc raises $5M to help make quantum computing commercially viable

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • The loyal opposition: Randori’s Attack turns red-teaming into cloud service
    The loyal opposition: Randori’s Attack turns red-teaming …
    11/02/2020
  • Rachel Rubin Franklin leaves Facebook to work on EA’s Positive Play push
    Rachel Rubin Franklin leaves Facebook to work …
    23/10/2020
  • Rental cars can be remotely started, tracked, and more after customers return them
    Rental cars can be remotely started, tracked, …
    12/02/2020
  • Beat Saber is now an Oculus studio after Facebook acquisition
    Tesla employees who don’t return to work …
    13/05/2020
  • Fast & Furious: Crossroads lives video games a quarter-mile at a time
    VCs warn coronavirus will impact fundraising for …
    08/03/2020

Popular Posts

  • Comcast hides upload speeds deep inside its infuriating ordering system
    Comcast hides upload speeds deep inside its …
    03/03/2021 0
  • Comcast overcharged elderly couple $600, denied refund until contacted by Ars
    Comcast lifts uploads to 5Mbps amid complaints …
    03/02/2021 0
  • High-performance computers are under siege by a newly discovered backdoor
    High-performance computers are under siege by a …
    03/02/2021 0
  • Top 10 Strangest Flavoured Foods And Drinks …
    03/02/2021 0
  • 10 Bizarre Things Celebrities Have Done – …
    03/02/2021 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2021 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh