The Microsoft corporation has patched a critical vulnerability in its ubiquitous built-in antivirus engine. Thanks to this vulnerability, hackers could have executed malicious code by sending users to a booby-trapped website or attaching a booby-trapped file to an instant message or e-mail.
A user with a real-time protection turned on was not required to click on the booby-trapped file or take any other action, apart from visiting the malicious website or receive the malicious instant message or e-mail.
The malicious files would be executed shortly after the scheduled scan has started, even if the real-time protection was off. The ease was the result of the vulnerable x86 emulator that was not protected by a security sandbox and was remotely accessible to hackers by design.
According to Tavis Ormandy, the Google Project Zero researcher who discovered the vulnerability, the flaw was spotted almost immediately after developing a fuzzer for the Windows Defender component.
“I took a quick stab at writing a fuzzer and immediately found heap corruption in the ERNEL32.DLL!VFS_Write API,” he wrote. “I suspect this has never been fuzzed before.”
Ormandy’s report was published on Friday, right after Microsoft released an update that patched the code-execution flaw. This is the third critical Windows Defender vulnerability revealed by the Project Zero researchers during the past seven weeks. The emulator is used to execute untrusted files that might have the potential to execute code.
According to a Microsoft corporation representative, they had fuzzed the Windows Defender component before.
“Fuzzing is one of a number of techniques we employ to update and strengthen our software,” the representative said. “It is a standard practice we use as part of the Security Development Lifecyle for our products.”
The Microsoft advisory, which also was published on Friday, stated that hackers who exploited the vulnerability could execute arbitrary code which would run with the rights of a LocalSystem account. According to the advisory, the account has “extensive privileges on the local computer and acts as the computer on the network.”
By exploiting the memory corruption bug in the Windows Defender emulator, the hacker could take control of the system and perform a variety of tasks, including installing programs, viewing, changing, or deleting data, as well as creating new user accounts.
Tavis Ormandy took special precautions in publishing some of the proof-of-concept exploits, which were linked to a file called testcase.txt.
“Note that, as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system,” the expert wrote. “The testcases have been encrypted to prevent crashing your exchange server.”
In the beginning of May, Microsoft patched a separate severe code-execution vulnerability in the malware protection engine. This is the engine powering the Windows Defender, which is installed by Default on all consumer PCs running supported versions of Windows. Ormandy called the flaw “the worst Windows remote code exec in recent memory,” and he warned that attacks “work against a default install, don’t need to be on the same LAN, and [they’re] wormable.”
On May 25, Microsoft patched another code-execution hole in the malware projection engine which, like the other two, could be exploited with little or no interaction on the part of targets.
