Microsoft Patches 12-Year-Old VulnerabilityFlaw Was Present in Microsoft Defender Since 2009, SentinelOne Finds
Microsoft has patched a 12-year-old vulnerability in Microsoft Defender that, if exploited, could enable nonadministrative users to escalate privileges in the application. The patch was made after security firm SentinelOne recently notified Microsoft about the flaw.
The vulnerability, tracked as CVE-2021-24092, is a driver flaw in Microsoft Defender, formerly known as Windows Defender, which is the company's anti-spyware application for its operating systems.
The driver flaw has been present in Microsoft Defender versions starting in 2009, SentinelOne says in a new report. But the vulnerability, which is not considered severe, has not been exploited in the wild, the security firm says.
"Bad actors will probably figure out how to leverage it on unpatched systems," SentinelOne says. "Using such a vulnerability to run code is often more tricky but not impossible; certain primitives need to be utilized, but this can still be used for various malicious activities, such as disabling security products."
Microsoft patched the vulnerability on Feb. 9 after being notified by SentinelOne, according to the report.
SentinelOne says that in November 2020 it identified a flaw in a driver that forms part of the remediation process within Windows Defender. This driver is responsible for deleting file systems and registry resources created by malicious software.
"When loaded, the driver first creates a handle to a file that contains the log of its operations when activated. The problem resides in the way the driver creates the handle to this particular file," the SentinelOne report notes.
Because the driver does not have a verification link, attackers can create a link that can enable them to overwrite arbitrary files.
The vulnerability likely remained undiscovered for years because the "driver is normally not present on the hard drive but rather dropped and activated when needed and then purged away," SentinelOne says.
Matt Walmsley, EMEA director at security firm Vectra, notes the Windows Defender vulnerability is just the latest in a long list of undiscovered vulnerabilities.
"All software has imperfections, and no defenses can ever be foolproof," Walmsley says. "That’s why security architects blend defensive controls alongside detection and response capabilities.
"Stop what you can, but assume you’re already compromised. By detecting the threats you’ve been unable to initially block, you can work on quickly shutting down a developing attack and then remediate. That way, even when an organization becomes compromised, you significantly minimize the time an attacker can operate before they’re discovered and thwarted."
Another far more significant flaw in a Microsoft product was discovered in recent months.
In September 2020, Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency issued warnings that a critical vulnerability in Windows Server dubbed "Zerologon" was being exploited in the wild. They urged users to immediately apply an available partial patch (see: Warning: Attackers Exploiting Windows Server Vulnerability). This month, Microsoft pushed out the second half of the patch (see: Microsoft Issues Second Patch for Netlogon Vulnerability).
And in August 2020, the FBI warned that organizations using Microsoft Windows 7 were in danger of attackers exploiting vulnerabilities in the unsupported operating system to gain network access (see: FBI Warns of Serious Risks Posed by Using Windows 7).