Microsoft has released an out-of-band patch for two severe flaws in Windows Defender. The flaws were discovered by the National Cyber Security Centre (NCSC), a unit of the UK’s spy agency GCHQ, which dispenses cyberdefense advice to the government and public.
Just last week, for example, the NCSC told UK agencies hosting information classified ‘secret’ never to use any Russian antivirus, including Kaspersky, due to the risk of Russian cyber-spies using it as a backdoor.
The NCSC’s probe of Microsoft’s antivirus uncovered two critical remote code execution bugs in the core of Windows Defender, called Microsoft Malware Protection Engine.
The bugs, tracked as CVE-2017-11937 and CVE-2017-11940, are similar to the “crazy-bad” bug Google’s Project Zero disclosed in May, which could be exploited by having the engine process a specially crafted file. The technique could lead to a complete system compromise.
The two new bugs can lead to a memory corruption when the Malware Protection Engine scans a particular attack file.
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said Microsoft.
An attacker can perform the exploit by leading a target to a malicious website or by sending the specially crafted file as an email or instant message, which the malware engine would automatically scan when the file is opened.
An attacker could also upload the attack file to a shared location on a server that the engine scans.
As with the earlier vulnerability, the two bugs could be more dangerous to systems where real-time protection is on, because the engine is configured to automatically scan all files. On systems where real-time protection is off, the attacker would need to wait for a scheduled scan to launch the attack.
The bugs affect Windows Defender for all supported Windows PC and server platforms, as well as Windows Intune Endpoint Protection, Security Essentials, Forefront, Endpoint Protection, and Exchange Server 2013 and 2016.
Fortunately, Microsoft says the bugs have not been publicly disclosed and are not known to have been exploited.
Microsoft notes that typically admins won’t need to take action since updates will be applied by the system that affected products use to detect and deploy updates. They will be available within 48 hours of release.
Google’s Project Zero researchers have reported a total of 10 bugs this year in the Microsoft Malware Protection Engine, evenly split between remote code execution and denial-of-service flaws.