Researcher says fixes to Windows Defender's engine incomplete

James Lee says Microsoft's A-V software still has remote code execution holes

In spite of a flurry of patches designed to fix Windows Defender, at least one security researcher reckons there's still work to be done.

James Lee, who has presented at conferences like Zer0con, has contacted The Register to say the key vulnerable component, MsMpEng, is still subject to remote code execution.

As with the bugs disclosed by Tavis Ormandy and fellow Project Zero researcher Mateusz Jurczyk, the bugs Lee's outlined to us arise because of insufficient sandboxing.

While he hasn't provided full details to us, he's posted two remote code execution proof-of-concept videos at YouTube:

Youtube Video

Youtube Video

In spite of the system being fully patched (as shown in the first video), Lee's work shows Windows Defender crashing and unable to restart.

Lee told The Register his discoveries aren't related to what Microsoft's fixed in response to Project Zero's recent disclosures. Those, he wrote in an e-mail, covered “multiple denial-of-service, integer overflow, and use-after-free bugs”, while his work has drilled into type confusions and logical bugs.

Lee's demonstration that MsMpEng needs to be sandboxed is in line with yet another Tweet from Ormandy (the world is waiting for what follows):

Ever since early May, MsMpEng's lack of sandboxing has been under increasing criticism from researchers. Yesterday, yet another sandbox escape was posted to GitHub by Thomas Vanhoutte. That contribution (not yet complete, Vanhoutte writes) aims to give a guest-privilege attacker the ability to use Defender to delete arbitrary files, including DLLs (which would offer various hijack opportunities). ®


Biting the hand that feeds IT © 1998–2017