Researcher says fixes to Windows Defender's engine incomplete
James Lee says Microsoft's A-V software still has remote code execution holes
In spite of a flurry of patches designed to fix Windows Defender, at least one security researcher reckons there's still work to be done.
James Lee, who has presented at conferences like Zer0con, has contacted The Register to say the key vulnerable component,
MsMpEng, is still subject to remote code execution.
While he hasn't provided full details to us, he's posted two remote code execution proof-of-concept videos at YouTube:
In spite of the system being fully patched (as shown in the first video), Lee's work shows Windows Defender crashing and unable to restart.
Lee told The Register his discoveries aren't related to what Microsoft's fixed in response to Project Zero's recent disclosures. Those, he wrote in an e-mail, covered “multiple denial-of-service, integer overflow, and use-after-free bugs”, while his work has drilled into type confusions and logical bugs.
Lee's demonstration that
MsMpEng needs to be sandboxed is in line with yet another Tweet from Ormandy (the world is waiting for what follows):
Sigh, more critical remote mpengine vulns. Found on Linux then reproduced on Windows, full report on the way. This needs to be sandboxed. pic.twitter.com/OzarAmOyH1— Tavis Ormandy (@taviso) June 7, 2017
Ever since early May,
MsMpEng's lack of sandboxing has been under increasing criticism from researchers. Yesterday, yet another sandbox escape was posted to GitHub by Thomas Vanhoutte. That contribution (not yet complete, Vanhoutte writes) aims to give a guest-privilege attacker the ability to use Defender to delete arbitrary files, including DLLs (which would offer various hijack opportunities). ®