Microsoft Patches Another Windows Defender Bug

Written by

Microsoft has issued a patch for its Windows Defender security product after Google Project Zero researcher Tavis Ormandy found yet another issue with it, this time one which could crash the AV tool.

CVE-2017-8558 affects Windows Defender (32 and 64-bit) running in Windows 10, Windows 8.1, Windows 8.1 RT, Windows 7 and Windows Server 2016.

Redmond fixed the bug a few days ago with version 1.1.13903.0 of the Microsoft Malware Protection Engine (MsMpEng).

The problem relates to an open apicall instruction in the x86 emulator.

“This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers,” explained Ormandy.

“I took a quick stab at writing a fuzzer and immediately found heap corruption in the KERNEL32.DLL!VFS_Write API, I suspect this has never been fuzzed before.”

The news comes just a few weeks after Microsoft was forced to fix another bug in its Malware Protection Engine.

CVE-2017-0290, also discovered by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy, could allow remote code execution if MsMpEng scans a specially crafted file.

At the time, the duo claimed that vulnerabilities in the engine “are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.”

That’s probably why Microsoft has been quick to fix both of these recently discovered bugs.

Noted British researcher Ormandy for one had nothing but praise for Redmond’s speedy response, claiming last month he was “blown away at how quickly Microsoft responded to protect users.”

Windows Defender is currently at the center of a major antitrust investigation in Russia, with AV firm Kaspersky Lab urging regulators in other countries to look into what it claims is Microsoft unfairly treating third party security vendors.

“When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs … you guessed it – its own Defender antivirus,” CEO Eugene Kaspersky has claimed.

Microsoft hit back at the allegations in a lengthy missive last week.

What’s hot on Infosecurity Magazine?