Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • October 17, 2017, 04:54 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable  (Read 4742 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 37,485
    • View Profile
    • Donate to Member
Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

Quote
Microsoft on Monday patched a severe code-execution vulnerability in the malware protection engine that is used in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016), just three days after it came to its attention. Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs.
...
The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it's simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft's malware protection engine—websites, file shares—could be used as an attack vector. Tavis Ormandy, one of the Google Project Zero researchers who discovered the flaw, warned that exploits were "wormable," meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.



Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,082
    • View Profile
    • Donate to Member
Wow. That sounds pretty serious. :o

I just checked and it seems it's already been patched on my machine. :Thmbsup:

For those interested, here is the original Project Zero report:

https://bugs.chromiu...ssues/detail?id=1252
« Last Edit: May 09, 2017, 01:08 PM by Deozaan »

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,269
    • View Profile
    • Donate to Member
Quote from: TN Microsoft Security Advisory 4022344
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically.

https://technet.microsoft.com/en-us/library/security/4022344

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,100
    • View Profile
    • Donate to Member
This is a pretty, pretty bad vulnerability, and I'm glad Natalie Silvanovich and Tavis Ormandy found it before it was wormed.

It's yet another example of why it's so bloody dangerous to run complex code in privileged (whether that's kernel-mode or "just" administrator/root privileges) accounts. Researches have generally called Windows defender the "least bad" security wise (3rd-party AV tools tend to do way too much stuff in kernelmode for their own good, and some of them fuck your browser security) - but obviously when something of this scale is found, it's terribad because of the scale of deployment.

Hopefully Microsoft will eventually get all the file-format parsing, untrusted code evaluation (etc.) for antimalware running in a non-privileged sandbox.

EDIT: kudos to Microsoft for fixing this very fast. Four day turnaround.

Contro

  • Participant
  • Joined in 2007
  • *
  • Posts: 3,144
    • View Profile
    • Donate to Member
I think I suffered a few weeks ago.
It was hard to solve it, just because i am a little unable to restore an image and try always to save the original system.
I even have now some rests
 :-[

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,010
    • View Profile
    • Donate to Member
How are we supposed to tell whether Microsoft has fixed the vulnerability on individual computers? I have Windows 7 Professional. I see no indication that Microsoft has made available to me any update that would fix the problem (i.e., my last updates were installed more than a week ago, and I see no sign that new updates are ready for me to download and install).
I have Kaspersky as my main AV, but apparently I still receive updates for Windows Defender as well. Some months back, when I tried to turn off Windows Defender, Microsoft kept telling me I should turn it back on, so I did. To my surprise, WD and Kaspersky don't seem to interfere with each other.  But in light of the news of this latest vulnerability, should I try again to turn Windows Defender off?

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,082
    • View Profile
    • Donate to Member
How are we supposed to tell whether Microsoft has fixed the vulnerability on individual computers?

The linked article says:

To check whether your Windows PC has been updated, head to "Windows Defender settings" and note the Engine version number. 1.1.13704.0 or higher means you've been patched.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 10,830
    • View Profile
    • Donate to Member
How are we supposed to tell whether Microsoft has fixed the vulnerability on individual computers?

The linked article says:

To check whether your Windows PC has been updated, head to "Windows Defender settings" and note the Engine version number. 1.1.13704.0 or higher means you've been patched.
thanks Deozaan,
on the older MSE, click the little drop-down arrow beside help, then 'about' gives the relevant info:
Engine Version: 1.1.13704.0

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,010
    • View Profile
    • Donate to Member
Many thanks, Deozaan. I've now checked. The version number is way out of date, but apparently I succeeded in turning WD off when I installed Kaspersky and did not succeed in turning it back on when it kept nagging at me to do so. So Windows Defender is turned off. I'm assuming that means that it hasn't been scanning anything and won't be doing so, and thus it will not be vulnerable to the malware threat in question. If I'm wrong, I hope someone will let me know.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 10,830
    • View Profile
    • Donate to Member
Many thanks, Deozaan. I've now checked. The version number is way out of date, but apparently I succeeded in turning WD off when I installed Kaspersky and did not succeed in turning it back on when it kept nagging at me to do so. So Windows Defender is turned off. I'm assuming that means that it hasn't been scanning anything and won't be doing so, and thus it will not be vulnerable to the malware threat in question. If I'm wrong, I hope someone will let me know.

if you have another AV installed, it will disable Defender.
(Could you run W.Defender, and update manually to be on the safe side? -- not sure would Kapersky complain though)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 8,939
    • View Profile
    • Donate to Member
Many thanks, Deozaan. I've now checked. The version number is way out of date, but apparently I succeeded in turning WD off when I installed Kaspersky and did not succeed in turning it back on when it kept nagging at me to do so. So Windows Defender is turned off. I'm assuming that means that it hasn't been scanning anything and won't be doing so, and thus it will not be vulnerable to the malware threat in question. If I'm wrong, I hope someone will let me know.

The fact that you aren't running/updating it doesn't have relevancy in many cases with these kinds of vulnerability.  It might in this case, but I wouldn't depend on that.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,376
    • View Profile
    • Donate to Member
Many thanks, Deozaan. I've now checked. The version number is way out of date, but apparently I succeeded in turning WD off when I installed Kaspersky and did not succeed in turning it back on when it kept nagging at me to do so. So Windows Defender is turned off. I'm assuming that means that it hasn't been scanning anything and won't be doing so, and thus it will not be vulnerable to the malware threat in question. If I'm wrong, I hope someone will let me know.

The fact that you aren't running/updating it doesn't have relevancy in many cases with these kinds of vulnerability.  It might in this case, but I wouldn't depend on that.

Me either, if something that accessible is left outdated and dormant it would be way to tempting a target to get overlooked for long.

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,010
    • View Profile
    • Donate to Member
The fact that you aren't running/updating it doesn't have relevancy in many cases with these kinds of vulnerability.  It might in this case, but I wouldn't depend on that.
As I understand it, the problem comes when WD scans objects and gets infected. If I have WD turned off so that it doesn't run, how am I still vulnerable?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 8,939
    • View Profile
    • Donate to Member
The fact that you aren't running/updating it doesn't have relevancy in many cases with these kinds of vulnerability.  It might in this case, but I wouldn't depend on that.
As I understand it, the problem comes when WD scans objects and gets infected. If I have WD turned off so that it doesn't run, how am I still vulnerable?


Just because that's the use case that has been outlined, it doesn't mean that there cannot be an exploit that is found that is outside of the problem report use case (i.e. reactivating WD and exploiting the vulnerability).  Fact remains, it's an unpatched vulnerability.  As I said, I wouldn't depend on that.  But it's completely up to you to evaluate the risk and whether or not you are comfortable with it on your machine.

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,010
    • View Profile
    • Donate to Member
Thanks Wraith808.  I was somewhat confused about what would make Windows Defender up-to-date. I downloaded the most recent antispyware definitions, but there was nothing said about an update to the engine. However, I've now checked, and apparently the most recent antispyware definitions also updated the engine, since it's now said to be version 1.1.13704.0.

Thanks for encouraging me to get the update.

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,269
    • View Profile
    • Donate to Member
Quote from: TN Microsoft Security Advisory 4022344
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically.

https://technet.microsoft.com/en-us/library/security/4022344

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 8,939
    • View Profile
    • Donate to Member
WD wasn't enabled.  It won't update if it's not enabled.

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,269
    • View Profile
    • Donate to Member
WD wasn't enabled.  It won't update if it's not enabled.

-thank you, only now do I understand what the problem was

Arizona Hot

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,128
    • View Profile
    • Donate to Member
Win 10 Antiviruses.jpg   Win Defender version.jpgMassive vulnerability in Windows Defender leaves most Windows PCs vulnerable

Doesn't seem to have worked that way in this computer. Win Defender was Off and is updated beyond that version(1.1.113804).


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 8,939
    • View Profile
    • Donate to Member
Win 10 Antiviruses.jpg   Win Defender version.jpgMassive vulnerability in Windows Defender leaves most Windows PCs vulnerable

Doesn't seem to have worked that way in this computer. Win Defender was Off and is updated beyond that version(1.1.113804).



I think off and disabled are two different things.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 10,830
    • View Profile
    • Donate to Member
Doesn't seem to have worked that way in this computer. Win Defender was Off and is updated beyond that version(1.1.113804).

where it didnt update (cyberdiva) was (as MSE) on Windows 7 computer.
May be different on 10?

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,010
    • View Profile
    • Donate to Member
Doesn't seem to have worked that way in this computer. Win Defender was Off and is updated beyond that version(1.1.113804).

where it didnt update (cyberdiva) was (as MSE) on Windows 7 computer.
May be different on 10?
I confess that I'm not at all clear about any of this, but I stopped using MSE more than a year ago when I switched to Kaspersky (I had the offer of two free two-year subscriptions and decided to give Kaspersky a try). I've just checked with Everything Search, and Microsoft Security Essentials is not on my computer. Moreover, when I was using MSE, I'd get daily updates  for it through Windows Updates, but those updates stopped when I switched to Kaspersky.  Also, IIRC, Windows Defender existed separately on my computer from MSE when I was using MSE.

The arrangement I currently have is that Windows Defender does NOT automatically scan and does NOT use real-time protection. However, I think I changed the setting under Administrator from leaving "Use ths program" unchecked to having it checked. And since it's checked, it claims that the "program will alert all users if spyware or other potentially unwanted software attempts to run or install itself on this computer." Just how WD will know this if it doesn't automatically scan and doesn't use real-time protection isn't clear to me. FWIW, the version of the WD engine currently on my computer is 1.1.13804.0, and the antispyware version is 1.245.41.0.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 10,830
    • View Profile
    • Donate to Member
^ you have me there !
I had a quick look, and found this, here:
https://answers.micr...99-93d2-f5ef78208994
Quote
Microsoft ... chose to use the Windows Defender name for 3 distinct products ...

Windows Defender (downloadable for XP, included on Vista and Windows 7, antispyware only, includes some useful system utilities, too, not present in MSE or Windows Defender/8-RT)

Windows Defender Offline (uses the same technology as MSE, but runs from a bootable disc created by the downloaded "wizard")

Windows Defender (included in Windows 8 and Windows RT [and Windows 10] that is a full antivirus and antispyware program)

MSE on two Windows 7 machines here is using the same 'engine' as the Windows 8/10 Defender, i.e. the version number posted by deozaan.

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,010
    • View Profile
    • Donate to Member
Many thanks, tomos, for unravelling the identities of Windows Defender. I don't feel so bad now about being confused.  :)