Jump to content

Researcher says fixes to Windows Defender's engine incomplete


Batu69

Recommended Posts

James Lee says Microsoft's A-V software still has remote code execution holes

In spite of a flurry of patches designed to fix Windows Defender, at least one security researcher reckons there's still work to be done.

James Lee, who has presented at conferences like Zer0con, has contacted The Register to say the key vulnerable component, MsMpEng, is still subject to remote code execution.

 

As with the bugs disclosed by Tavis Ormandy and fellow Project Zero researcher Mateusz Jurczyk, the bugs Lee's outlined to us arise because of insufficient sandboxing.

 

While he hasn't provided full details to us, he's posted two remote code execution proof-of-concept videos at YouTube:

Youtube Video  : Another MsMpEng RCE (Before)

Youtube Video  :Another MsMpEng RCE (After)

 

In spite of the system being fully patched (as shown in the first video), Lee's work shows Windows Defender crashing and unable to restart.

Lee told The Register his discoveries aren't related to what Microsoft's fixed in response to Project Zero's recent disclosures. Those, he wrote in an e-mail, covered “multiple denial-of-service, integer overflow, and use-after-free bugs”, while his work has drilled into type confusions and logical bugs.

 

Lee's demonstration that MsMpEng needs to be sandboxed is in line with yet another Tweet from Ormandy (the world is waiting for what follows):

Ever since early May, MsMpEng's lack of sandboxing has been under increasing criticism from researchers. Yesterday, yet another sandbox escape was posted to GitHub by Thomas Vanhoutte. That contribution (not yet complete, Vanhoutte writes) aims to give a guest-privilege attacker the ability to use Defender to delete arbitrary files, including DLLs (which would offer various hijack opportunities).

 

Article source

Link to comment
Share on other sites


  • Replies 2
  • Views 584
  • Created
  • Last Reply

I would have posted the videos after microsoft was informed about them because you can see some details in the videos if you watch them full screen.

Link to comment
Share on other sites


35 years and Microsoft still cannot secure Windows yet they keep adding more bloat to the operating system and more fixes and updates and more vulnerability.  What the world needs is a good Operating System that is strictly an operating system without all the bloat that 99% of the people never use and spend time trying to get rid of or avoid.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...