11 with 9 posters participating
Just because a vulnerability is old doesn’t mean it’s not useful. Whether it’s Adobe Flash hacking or the EternalBlue exploit for Windows, some methods are just too good for attackers to abandon, even if they’re years past their prime. But a critical 12-year-old bug in Microsoft’s ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don’t try to make up for lost time.
The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.
Windows Defender would be endlessly useful to attackers for such a manipulation, because it ships with Windows by default and is therefore present in hundreds of millions of computers and servers around the world. The antivirus program is also highly trusted within the operating system, and the vulnerable driver is cryptographically signed by Microsoft to prove its legitimacy. In practice, an attacker exploiting the flaw could delete crucial software or data, or even direct the driver to run their own code to take over the device.
“This bug allows privilege escalation,” says Kasif Dekel, senior security researcher at SentinelOne. “Software that’s running under low privileges can elevate to administrative privileges and compromise the machine.”
20-year-old Mac modem flaw to a 10-year-old zombie bug in Avaya desk phones. Developers and security researchers can’t catch everything every time. It’s even happened to Microsoft before. In July, for example, the company patched a potentially dangerous 17-year-old Windows DNS vulnerability. As with so many things in life, better late than never.
This story originally appeared on wired.com.