In what seems like an eerie rerun of the Log4j scenario, a security researcher’s tweet in mid-January exposed a zero-day vulnerability in Microsoft Defender, an anti-malware component of the Windows operating systems. Amid claims that the vulnerability in certain older versions had been around for at least eight years, Microsoft maintained a studied silence, leaving users with the affected iterations to fend for themselves. Read on to find out what the threat potential of this Microsoft Defender vulnerability is, and the safeguards needed to fix the security gap.
The Windows Defender Vulnerability
The issue unravelled on January 12 when a security researcher from SentinelOne, Antonio Cocomazzi, posted a tweet detailing a glitch in Microsoft Defender. The glitch allowed cybercriminals to learn about the locations excluded from the Defender scan and plant malware there. Some users, replying to the thread, claimed the vulnerability had been around for over eight years and affected the Windows 10 21H1 and Windows 10 21H2 versions. Given it’s a zero-day vulnerability, the possibility of threat actors exploiting it to bypass the security solution’s defensive operation is high. While another tweet revealed that this vulnerability does not affect the latest edition of Windows, i.e., Windows 11, costly hardware upgrades may play a prohibitive role in the transition from the old to the new version for many users.
The Exploit and its process
The Microsoft Defender Vulnerability paves the path for an attacker to target the design weakness of the application. All antivirus software offers a feature called an exclusion list. Under this list, users add locations of their system’s drives and paths (local or network) that Defender will exclude from malware scans. Users commonly make these exclusions to prevent the antivirus from affecting the functionality of a legitimate program, which a malware scanner detects as malicious, either incorrectly or mistakenly. However, in the light of the vulnerability’s discovery, these exceptions have now turned into gateways for attackers who can deploy malware without the fear of detection.
Security researchers like Antonio Cocomazzi, Nathan McNulty, and a few others, found an unprotected list of excluded paths or drive locations in Microsoft Defender. This means any local user or a malicious entity can access the information, regardless of permission, and easily carry out manual querying on the registry. From there, they can gather insight on the different paths, files, or risky programs that users have excluded from the Defender check.
This reject list of specific locations is extremely attractive to cybercriminals. According to McNulty, any malicious attacker can grab the exclusion list from the registry tree using a command prompt through entries that store Group Policy settings. This type of data might have a cascading impact in that it provides the exclusion list information for many computers. McNutty also warned that Microsoft Defender on a server has “automatic exclusions, which users can enable when distinct roles or features get installed”, and they do not protect custom locations. As per the tests conducted by BleepingComputer, a malware sample executed within the excluded folder ran undetected on the system.
How do you protect your organization against the Microsoft Defender Vulnerability?
There are only a handful of ways to safeguard a system against the Microsoft Defender Vulnerability:
One way is to prevent users from modifying the policy settings on their local machines. You can push this through a Group Policy update under the Group Policy Management Console.
Another way is to restrict access to malware within the network through endpoint security solutions. These solutions come in the frontline, securing end-user devices like mobile handsets, laptops, desktops, and other networking devices. So, even if your Microsoft Defender’s exclusion list is active or the threat actor knows its path, they cannot put malware in those locations because of the endpoint solutions.
Enterprises can also approach security consulting companies like Packetlabs which can provide a cybersecurity maturity assessement or penetration testing to provide guidance & support of your cybersecurity plan.
Companies that leverage Windows operating systems (Windows 8, 10, and 11) must prioritize security measures against the Microsoft Defender Vulnerability. Packetlabs penetration testers are Offensive Security Certified Professionals (OSCP), and will manually conduct real-life attacks in your networks and systems to uncover gaps and vulnerabilities, including microsoft vulnerabilities. Contact Packetlabs today.