A security bulletin by Microsoft and Google Project Now researchers is alerting the public to one of the most potentially disastrous exploits in the history of Windows software – an exploit which targets the Windows Defender antivirus and turns it into a malware installer at the drop of a hat. This bug affects every Windows Defender version currently supported on Windows 8.1, and 10, and Microsoft’s security teams are advising everyone to update their system as soon as possible. Network administrators are being encouraged to apply the patch as soon as it is available, and Microsoft itself is rolling out the patch immediately to all 400 million-odd users on Windows 10.
Before you even start reading this article, hit WIN key + I, head to “Update and security”, and check for new updates. There will be a patch for Windows Defender if your system is found to be vulnerable. I do suggest applying it immediately. This exploit is the equivalent of thinking you’re safe inside Gondor with those thick walls, and Sauron’s Uruk-hai come bearing flowers in boxes for the guards, but once the guards look at them the “flowers” turn out to be Nazgûls and it all goes to hell.
The exploit was discovered by Google’s Project Zero research team, whose job is to monitor and scan for major zero-day vulnerabilities in popular software like Microsoft Windows, commonly used browsers, and popular software that have their own update mechanisms. Discovered by researchers Tavis Ormandy and Natalie Silvanovich, the exploit is a remote code execution attack that is carried out on Windows Defender while it is scanning the affected file for viruses.
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥
— Tavis Ormandy (@taviso) May 6, 2017
— Tavis Ormandy (@taviso) May 9, 2017
Windows Defender relies on a service called MsMpEng, and it is an anti-malware virus scanner that runs with elevated system privileges despite the user being a limited account, or an administrator. More specifically, the service is run under the NT Authority users group, which is a domain-level group with access to every part of the operating system. The exploit also works on servers running Server 2012 and 2016, and it will even work against servers that have hardened access and are firewalled with the Internet Information Services (IIS) software that Microsoft uses for URL filtering and a dozen other things. In short, it works on just about any system on the internet running these versions of Windows.
In every case, the file would be scanned by Defender via MsMpEng, it would elevate the code which then runs in the middle of the scan, and hijacks the system. Yikes! Oh, and you can also deliver the attack over Twitter. DO NOT click the previous link if you use Edge or Internet Explorer before updating, or else your system will likely crash and need a reboot. Seriously.
That this exploit went unnoticed for over four years is incredible. It affects over a billion computers on the planet, and it could turn the entire internet into the world’s largest Bitcoin mining pool without any system logs being generated, or any alerts being sent to the administrator. It is a relief that it was discovered and reported responsibly to Microsoft. I’m sure network admins around the world are breathing easier now that they know their weekend won’t be ruined by malware that silently attacks any system no matter how secure it appears.