A bug in Windows 10 Defender anti-virus has been 12 years unfixed.
Microsoft released the February Patch Tuesday yesterday, fixing a multitude of vulnerabilities in Windows 10. Among them were several zero-day vulnerabilities, which allowed both to execute remote code on our computers, as well as to generate blue screens. Also, they have patched another one that had been present in the operating system for at least 12 years.
This has been announced by the cybersecurity company SentinelOne after Microsoft patched it yesterday, being able to share its existence with more peace of mind and knowing that there is a solution available. However, they have not given many technical details to give more time for the update to reach more users.
Windows Defender has been affected from the bug, and it went 12 years without patching
The bug was present in Windows Defender, one of the most sensitive elements of the operating system. Specifically, the flaw affects a driver used by the antivirus to remove invasive files and infrastructure that malware can create to spread through the computer, this being a basic feature of how an antivirus works. When the driver deletes the malicious file, it replaces it with a benign one while removing the malware. However, the researchers realized that Windows Defender did not check that new file that was created, so an attacker could modify the driver in such a way that the wrong file could be overwritten or even execute malicious code.
Windows Defender is used by hundreds of millions of people like Windows 10 antivirus around the world since it is the one included in the system by default. Therefore, a flaw in it or in the driver, which is signed by Microsoft itself, is dangerous because for the operating system it may look like something legitimate and safe, when in fact it is not. The driver can be modified to remove software or data, as well as run its code to take full control of the system, as it allows escalating privileges.
Even Windows Vista users affected
The flaw was reported to Microsoft in mid-November, and they have finally released the patch this week. The vulnerability was considered high-risk, and could only be exploited by an attacker with remote or physical access to the computer. Therefore, to exploit it, it would be necessary to combine it with another vulnerability.
According to SentinelOne and Microsoft, there is no evidence that the vulnerability has been exploited by an attacker. However, it is difficult to know, as 12 years is a long time, and implies that Windows 7 users are now exposed to it. Furthermore, the researchers claim that the vulnerability may have been present even longer, but their research was limited to 2009, which is as far back as the VirusTotal antivirus database they used.
SentinelOne believes that the flaw has taken so long to be discovered because the affected driver is not stored on the computer all the time. Instead, it uses a system called “dynamic link library”, loading the driver only when it is needed, and removing it afterward. Also, they claim that these types of flaws can be in other antivirus software, so they encourage other companies to check their software for such vulnerabilities.