Sergey Nivens - Fotolia

Windows Defender bug could allow full-system takeover

A newly disclosed Windows Defender bug, which could allow an attacker to fully take over a target system and create admin accounts, marks yet another major antivirus vulnerability.

Just in case IT professionals needed more proof that antivirus software flaws can be some of the more dangerous around: The latest Windows Defender bug, which could allow full-system takeovers, was discovered Monday.

Tavis Ormandy, security researcher for Google's Project Zero team, said he "took a quick stab at writing a fuzzer" for Windows Defender and immediately found the memory corruption vulnerability. Microsoft described the Windows Defender bug as a remote code execution vulnerability caused by the Microsoft Malware Protection Engine not properly scanning a malicious file.

"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft wrote in an advisory. "To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine."

According to Microsoft, there are a number of ways the Windows Defender bug could be exploited, depending on how the malicious file was delivered to a location that would be scanned by the Microsoft Malware Protection Engine.

"This is a very powerful exploit primitive, and exploitation does not seem difficult," Ormandy said in his disclosure.

Simon Zerafa, a professional IT technician, said the capability of a malicious portable executable (PE) file to exploit this Windows Defender bug is very dangerous.

Microsoft pushed an automatic update with the Malware Protection Engine version 1.1.13903.0 to Windows 7, Windows 8.1, Windows 10 and Windows Server 2008.

Other antivirus bugs

This Windows Defender bug is another in an increasingly long line of vulnerabilities in antivirus programs, many of which have been found by Google's Project Zero team.

In May 2017, Microsoft released an out-of-band patch to remediate a Windows Defender bug found by Ormandy and fellow Project Zero researcher Natalie Silvanovich. And, at the time, Ormandy said vulnerabilities in the Microsoft Malware Protection Engine "are among the most severe possible in Windows, due to the privilege, accessibility and ubiquity of the service."

Going back to 2015, Ormandy has found multiple vulnerabilities in Kaspersky Lab antivirus products and Symantec's Norton antivirus software. In regard to one of the antivirus bugs he found in Norton antivirus software, Ormandy said it was "about as bad as it can possibly get," because it required no user interaction and the antivirus scan engine was loaded into the system kernel.

Next Steps

Learn what vulnerabilities in antivirus tools can mean for enterprise.

Find out if Windows Defender Advanced Threat Protection has improved.

Get info on how Windows Defender Offline protects endpoints.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing