A critical security vulnerability was identified in Windows Defender, an anti-malware component of Microsoft Windows that comes pre-installed with every copy of Windows. This number is over 1 billion devices.
This vulnerability could let attackers carry out sophisticated attacks by enabling malicious escalation of privileges
What’s worth noting is that the vulnerability went unnoticed for over twelve years and only recently discovered for the very first time. The reason it went unnoticed for so long was the very specific nature of the mechanism required to activate it.
Windows Defender has a redemption process used by its driver called “BTR.sys”. This driver takes care of any malicious system and registry files created from kernel mode. For this purpose, the driver maintains a log of all the operations done by a specific file by creating a handle on it. The issue is within the method of the handle creation.
According to a blog post published by researchers at Sentinel Labs, in order to clean the “ri4d” register, it was XORed with itself. By this method, the constant “FILE_SUPERSEDE” is always present in the parameter “CreateDisposition”. The transaction that creates the file after deleting the original one is “FILE_SUPERSEDE”. It can be seen in the image that it does not confirm whether it is a file or a link.
In this way, an attacker can create a link at “C:\Windows\Temp\BootClean.log” which can enable them to potentially overwrite arbitrary files. The link will simply point to the file that is needed to be overwritten.
Another example is if a hard link to an executable file is created, a load of BTR can be simulated which is usually loaded during the remediation phase by Windows Defender. This executable file is then overwritten.
There are many instances of this bug even on VirusTotal that date as long as twelve years ago. Due to the time limit on the search feature on VirusTotal, prior instances could not be confirmed but there is a chance that there were instances of this vulnerability before that period.
The absence of a driver from the hard drive until now might be the root cause of this bug being ignored. Instead, that driver was only activated when it was needed with a random name and then dropped. The most updated machines are safe from this vulnerability and also from EoP exploits that are possible from native hard links.
Update your Windows devices
Even though this vulnerability has been fixed in the latest update, it can still be exploited on the new machines if they are not updated to the latest version. It is advised to update your devices without further delay.