Google Project Zero bug-hunter Tavis Ormandy has alerted the world to yet another way Microsoft's anti-virus tool Windows Defender could be attacked.
Windows 10 is an operating system developed by Microsoft. Microsoft described Windows 10 as an 'operating system as a service' that would receive ongoing. To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection.
Ormandy went public with the bug on Friday after Microsoft shipped its fix. He reported the issue to Redmond on June 9th.
The bug is in the non-sandboxed x86 emulator Windows Defender uses. The
apicall
instruction runs with system privilege, and Ormandy wrote a fuzzer to check it out.What he found, in the post entitled “MsMpEng: mpengine x86 Emulator Heap Corruption in VFS API”, is “heap corruption in the
KERNEL32.DLL!VFS_Write
API” which he suspects has so far been ignored by fuzzers.“I suspect the
MutableByteStream
object [is] getting corrupted with an unchecked memcpy, I've seen multiple different stacktraces including wild eip”, he writes.After his initial post, Ormandy mulled the exploitability of the bug, and came up with a minimal test case for the bug:
“The first call extends the length of the file to
nOffset
, but because the numberOfBytes parameter is 0 no space is allocated. Then you can read and write arbitrary data to an arbitrary offset to the MutableByteStream
object buffer”, he writes. “This is a very powerful exploit primitive, and exploitation does not seem difficult.”Microsoft has issued a fixed version of the Malware Protection Engine, version 1.1.13903.0. ®
Sponsored: Detecting cyber attacks as a small to medium business