Dangerous Windows Defender Vulnerability Removed After 12 Years
A vulnerability has been discovered in Windows Defender. This would not be surprising if not for the fact that it has been around for 12 years without anyone noticing.
- A dangerous vulnerability in Windows Defender went unpatched for 12 years;
- The February 9 update to Windows 10 fixes the problem.
Windows Defender is a security program present by default in Windows 10; some users consider it a simple antivirus. It recently turned out that there was a dangerous vulnerability in it that went unnoticed for 12 years. Both potential attackers and Microsoft were unaware of it. Last fall it was discovered by the security company SentinelOne. The vulnerability was fixed by Windows 10 patch from February 9, so we can already talk about it in the past tense.
The vulnerability was related to a DLL (Dynamic-Link Library) file of a driver in Microsoft Defender. When the application deletes a suspicious file, it creates a replacement file - a space filler that replaces the deleted data. The system does not thoroughly verify the new file, so this creates an opportunity to influence the driver to remove the incorrect file or even execute malicious code (using Defender's permissions). Microsoft marked this threat as "high", so it could be considered significant.
The most interesting thing about this is how such a vulnerability could exist unnoticed for so many years. There are a few possible explanations. First of all, for the vulnerability to be exploited, access to the computer - physical or remote - was required. So someone would first have to exploit another vulnerability, or reach the device they want to attack. The second reason could have been that the vulnerability was poorly visible on the system, as it did not actively exist in memory. This may partially justify the omission of such a threat - it was simply not very "attractive" for cybercriminals.
