agsandrew - Fotolia
Microsoft created Windows Defender flaw by breaking UnRAR code
Microsoft's poor coding when forking and modifying open source UnRAR code introduced a critical Windows Defender flaw that could allow an attacker full system rights.
A security researcher found poor coding practices led to a critical Windows Defender flaw, which Microsoft has patched.
Thomas Dullien, aka Halvar Flake, a Google engineer based in Switzerland, found the Windows Defender flaw in the Malware Protection Engine and reported the issue to Microsoft on March 1. Dullien wrote in the bug tracker that Microsoft had "forked and modified" UnRAR code and apparently changed integer variables from signed to unsigned.
"It appears that this blanket conversion from signed to unsigned ended up introducing a new vulnerability, though," Dullien wrote in the bug report. "[A code] check is no longer present in the binary version of the same code in mpengine, most likely since most signed comparisons in this function have been turned unsigned. This causes a vulnerability later in the same function."
Google Project Zero vulnerability hunter Tavis Ormandy expressed shock at Microsoft's mistake on Twitter.
This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code. @halvarflake noticed and got it fixed. Remote SYSTEM memory corruption https://t.co/gsx9ZMk1Hz— Tavis Ormandy (@taviso) April 4, 2018
Dullien said an attacker could exploit the Windows Defender flaw with a malicious RAR file, causing memory corruption and a crash.
Microsoft added in its vulnerability report for CVE-2018-0986 that by exploiting this issue, an attacker "could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
The patch to fix the Windows Defender flaw was pushed out automatically and Microsoft said no action is needed by enterprises to mitigate the issue.
Microsoft has seen other critical flaws disclosed for Windows Defender recently. Last May Microsoft issued an out-of-band patch the day before the software giant's Patch Tuesday release after Google's Project Zero research found a critical vulnerability in the Microsoft Malware Protection Engine, which is used in Windows Defender. Another Windows Defender flaw involving memory corruption was discovered by Project Zero a month later and patched by Microsoft.