Microsoft Quietly Fixes Another “Extremely Bad Vulnerability” in Windows Defender

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Serving as additional justification for the call to sandbox MsMpEng, yet another vulnerability regarding Windows Defender was caught by Google Project Zero. This one was not as easy to exploit as the one patched two weeks ago, but it is still being described as extremely bad: an attacker could have crafted an executable that, when processed by the Malware Protection Engine’s emulator, could enable remote code execution.

The vulnerability would allow applications executed in MsMpEng’s emulator to control the emulator to achieve all kinds of mischief, including remote code execution when Windows Defender scanned an executable sent by email. “MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed. Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”
 
Is this KB4020102? Article doesn't say, but on Winsupersite, there's no mention of Windows Defender for that patch.
 
nilepez said:
Is this KB4020102? Article doesn't say, but on Winsupersite, there's no mention of Windows Defender for that patch.
Click to expand...
Just a guess, but since it was patched last week I'd say the patch was included in a definitions update like the one two weeks ago.
 
So it's better to turn windows defender off than to use it at all.
 
Thanks for the heads up. I use Windows Defender by default so it is good to see a fix come down for a found vulnerability. Of course, we know Google is only doing this to make Microsoft look bad but, as long as it gets patched, just the way Business as usual goes.
 
ManofGod said:
Thanks for the heads up. I use Windows Defender by default so it is good to see a fix come down for a found vulnerability. Of course, we know Google is only doing this to make Microsoft look bad but, as long as it gets patched, just the way Business as usual goes.
Click to expand...
I don't know about that. I definitely disagree when they release zero day code, but finding bugs and reporting them to the company that owns the code is a good thing. AFAIK, they do this for a wide variety of software, not just MS and not all are competitors.
 
ManofGod said:
Thanks for the heads up. I use Windows Defender by default so it is good to see a fix come down for a found vulnerability. Of course, we know Google is only doing this to make Microsoft look bad but, as long as it gets patched, just the way Business as usual goes.
Click to expand...

Well maybe...just maybe, if MS actually employed security researchers (and bothered testing their shit with true QA teams) as smart as some of the guys in Project Zero some of this shit wouldn't happen.

While I didn't care for Ormandy's open disclosure (every exploit should be properly disclosed) of the last Defender issue he's still one of the best security researchers out there right now and he certainly isn't doing this to "make Microsoft look bad."

Ormandy plays no favorties. He's finds exploits in everything he touches. The exploit he found in the LastPass browser extension a month or two ago was flat out amazing and it wasn't even the first exploit in LastPass he discovered.
 
Vermillion said:
Ormandy plays no favorties. He's finds exploits in everything he touches. The exploit he found in the LastPass browser extension a month or two ago was flat out amazing and it wasn't even the first exploit in LastPass he discovered.
Click to expand...
"B-B-But everyone knows he's only doing it to make LastPass look bad!"
 
DPI said:
"B-B-But everyone knows he's only doing it to make LastPass look bad!"
Click to expand...

B-B-But, 24/7 keylogging. /s Yep, here we go, this is going to be a 10 page thread about nothing once all is said and done. :D Openly disclosing a zero day vulnerability is not done for the betterment of the community that I can tell. Oh well, just the way Business is done and that is that.
 
You must log in or register to reply here.
Back
Top