Windows Defender bug could allow full-system takeover

Just in case IT professionals needed more proof that antivirus software flaws can be some of the more dangerous around: The latest Windows Defender bug, which could allow full-system takeovers, was discovered Monday.

Tavis Ormandy, security researcher for Google's Project Zero team, said he "took a quick stab at writing a fuzzer" for Windows Defender and immediately found the memory corruption vulnerability. Microsoft described the Windows Defender bug as a remote code execution vulnerability caused by the Microsoft Malware Protection Engine not properly scanning a malicious file.

"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft wrote in an advisory. "To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine."

According to Microsoft, there are a number of ways the Windows Defender bug could be exploited, depending on how the malicious file was delivered to a location that would be scanned by the Microsoft Malware Protection Engine.

"This is a very powerful exploit primitive, and exploitation does not seem difficult," Ormandy said in his disclosure.

Simon Zerafa, a professional IT technician, said the capability of a malicious portable executable (PE) file to exploit this Windows Defender bug is very dangerous.

So if you can make anything which is downloaded via any process look like a PE file then you could get System level execution. Marvelous!

— Simon Zerafa (@SimonZerafa) June 23, 2017

Microsoft pushed an automatic update with the Malware Protection Engine version 1.1.13903.0 to Windows 7, Windows 8.1, Windows 10 and Windows Server 2008.