Twelve-Year-Old Vulnerability Found in Windows Defender
Researchers found, and Microsoft has patched, a vulnerability in Windows Defender that has been around for twelve years. There is no evidence that anyone has used the vulnerability during that time.
The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.
It isn’t unusual that vulnerabilities lie around for this long. They can’t be fixed until someone finds them, and people aren’t always looking.
Nick Alcock • February 24, 2021 9:32 AM
“The researchers hypothesize that the bug stayed hidden for so long because the vulnerable driver isn’t stored on a computer’s hard drive full-time, like your printer drivers are. Instead, it sits in a Windows system called a “dynamic-link library,” and Windows Defender only loads it when needed. Once the driver is done working, it gets wiped from the disk again.”
This gibberish doesn’t make me want to believe that the journalists who reported on this have the least idea what they’re talking about. (Something being a DLL does not mean it is transient: almost none are, and most of Windows is implemented as DLLs which necessarily stick around for the life of the system.)
Opening a library dynamically doesn’t mean it’s not on the disk when it’s not loaded! It means it’s not in that process’s address space (and actually Windows can elect to hang on to it even after the application asks to close it, so even that is not always true).