Windows Defender fixed 12-year-old vulnerability
Microsoft Defender Antivirus (formerly just Windows Defender) has fixed an old privilege escalation vulnerability. Interestingly, this bug appeared in the code about 12 years ago and affected all versions of Defender for Windows 7 and higher released after 2009.
The vulnerability, discovered by SentinelOne experts in November last year, was identified as CVE-2021-24092. It also spreads to other Microsoft security products, including Microsoft Endpoint Protection, Microsoft Security Essentials, and Microsoft System Centre Endpoint Protection.
The problem was found in the BTR.sys driver (aka Boot Time Removal Tool), which is used to remove files and registry entries created by malware. The researchers believe that the vulnerability was not noticed for so long due to the “nature of this particular mechanism of activating.”
“We believe that this vulnerability has not been discovered until now, because this driver is usually not present on the hard drive, but is reset and activated when necessary (with a random name), and then removed”, – says the company report.
In essence, when BTR.sys deletes a malicious file, it temporarily replaces it with a new and safe one. The researchers found that the system did not check this new file in any way, and as a result, an attacker could overwrite the wrong file or even run malicious code by elevating his privileges to the administrator level.
The hotfix will be automatically installed on all systems running affected versions of Microsoft Defender and automatic updates will be enabled. The bug was fixed as part of the February “update Tuesday”. The latest version of Microsoft Malware Protection Engine affected by this vulnerability is 1.1.17700.4. The first version where the bug was fixed is 1.1.17800.5.
“Although it seems that this vulnerability has not been exploited, attackers are likely to figure out how to exploit it on unprotected systems. In addition, since the vulnerability has been present in all versions of Windows Defender since about 2009, it is likely that many users will not be able to apply the released patch, which makes them vulnerable to future attacks”, — summarize the SentinelOne experts.
Let me remind you that on the first “Update Tuesday” in 2021, Microsoft patched the 0-day vulnerability in Defender, one among 83 vulnerabilities in the company’s products.
I also wrote that attackers can use Microsoft Defender to download viruses and malware.