With a market share of 76.56% worldwide, the Microsoft Windows desktop operating system is also a massive target for many cyber threats and attacks. In fact, over 97 million devices have already encountered various forms of threats, such as malware and viruses, in just the last 30 days.
Microsoft’s built-in antivirus software, Microsoft Defender (previously named Windows Defender), was designed to mitigate such threats and protect user devices, but what if the risk comes from the Defender itself?
That is what researchers from security firm SentinelOne found out last November when they discovered that Microsoft Defender had a vulnerability that can provide attackers malicious escalation of privileges to the operating system. Not only that – the bug had been in the software and had remained undiscovered for 12 years.
How did that happen? SentinelOne explained that the vulnerability remained undiscovered until now because the driver is normally not present on the hard drive of a computer but rather activated only when needed and then deleted right away.
The bug is also used to delete the invasive files a malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation.
However, SentinelOne noticed that there is no verification whatsoever whether or not this new file is a link. Thus, an attacker could insert system links that can command the driver to overwrite a wrong file or even run malicious code.
It could also escalate admin privileges in the OS, which can be used by attackers to take over a Microsoft desktop. However, they will need to have access to the device first, either physically or remotely, which will require additional exploits.
“Since the vulnerability is present in all Windows Defender versions starting from around 2009, it’s likely that numerous users will fail to apply the patch, leaving them exposed to future attacks”, stated SentinelOne.
Both the security firm and Microsoft said that there are no indications that this flaw has been exploited in the wild – at least not yet. Without any protection, patch or update, as many as 1 billion users of Microsoft Windows are vulnerable to the bug.
Microsoft rated the vulnerability as high-risk and already released security patches for it last month.