PSA: Windows Defender exploit allows it to install malware on your system while scanning for malware

A security bulletin by Microsoft and Google Project Now researchers is alerting the public to one of the most potentially disastrous exploits in the history of Windows software – an exploit which targets the Windows Defender antivirus and turns it into a malware installer at the drop of a hat. This bug affects every Windows Defender version currently supported on Windows 8.1, and 10, and Microsoft’s security teams are advising everyone to update their system as soon as possible. Network administrators are being encouraged to apply the patch as soon as it is available, and Microsoft itself is rolling out the patch immediately to all 400 million-odd users on Windows 10.

Before you even start reading this article, hit WIN key + I, head to “Update and security”, and check for new updates. There will be a patch for Windows Defender if your system is found to be vulnerable. I do suggest applying it immediately. This exploit is the equivalent of thinking you’re safe inside Gondor with those thick walls, and Sauron’s Uruk-hai come bearing flowers in boxes for the guards, but once the guards look at them the “flowers” turn out to be Nazgûls and it all goes to hell.

The exploit was discovered by Google’s Project Zero research team, whose job is to monitor and scan for major zero-day vulnerabilities in popular software like Microsoft Windows, commonly used browsers, and popular software that have their own update mechanisms. Discovered by researchers Tavis Ormandy and Natalie Silvanovich, the exploit is a remote code execution attack that is carried out on Windows Defender while it is scanning the affected file for viruses.

Windows Defender relies on a service called MsMpEng, and it is an anti-malware virus scanner that runs with elevated system privileges despite the user being a limited account, or an administrator. More specifically, the service is run under the NT Authority users group, which is a domain-level group with access to every part of the operating system. The exploit also works on servers running Server 2012 and 2016, and it will even work against servers that have hardened access and are firewalled with the Internet Information Services (IIS) software that Microsoft uses for URL filtering and a dozen other things. In short, it works on just about any system on the internet running these versions of Windows.

The way the attack worked is that the user would receive a file that is immediately flagged as suspicious, and Defender would start scanning it. During the scan, the virus hijacks the session by confusing it, presenting code that does not announce what kind of object it is (a type confusion exploit), and then turns back on Defender, prompting it to install malware silently without user intervention. Why it worked is the crazy part here. MsMpEng cannot scan and evaluate the code as a normal user because of the security restrictions it is placed under in a normal user environment. Instead, it elevates the process (i.e. runs it with full system privileges), and then scans the code through a process that is not sandboxed or secure. The file could be loaded onto the system through an email (which is scanned on arrival into the inbox), or through an IM message (someone sending you a file in Skype), through a rogue advert on a website (which places temporary files onto your drive), or even as a file “innocently” sent to a server protected with IIS. If the code so much as appears inside JavaScript and runs in the Edge browser or Internet Explorer, it’ll affect your system and allow the attacker to run their code while your defences are down.

In every case, the file would be scanned by Defender via MsMpEng, it would elevate the code which then runs in the middle of the scan, and hijacks the system. Yikes! Oh, and you can also deliver the attack over Twitter. DO NOT click the previous link if you use Edge or Internet Explorer before updating, or else your system will likely crash and need a reboot. Seriously.

That this exploit went unnoticed for over four years is incredible. It affects over a billion computers on the planet, and it could turn the entire internet into the world’s largest Bitcoin mining pool without any system logs being generated, or any alerts being sent to the administrator. It is a relief that it was discovered and reported responsibly to Microsoft. I’m sure network admins around the world are breathing easier now that they know their weekend won’t be ruined by malware that silently attacks any system no matter how secure it appears.

Source: Project Zero, Microsoft Technet