Priya PatelTLDR:
- Researchers from SafeBreach discovered vulnerabilities in Windows Defender that could allow attackers to remotely delete files.
- Exploiting these vulnerabilities could lead to data loss and system instability.
Researchers from SafeBreach have identified vulnerabilities in Windows Defender that could potentially be exploited by attackers to remotely delete files on computers. During their presentation at the Black Hat conference, security researchers Tomer Bar and Shmuel Cohen showcased their findings, including the discovery of vulnerability CVE-2023-24860. By exploiting this vulnerability, attackers could bypass security controls on both Windows and Linux servers, allowing them to delete critical files without authentication.
The researchers used a black box approach to extract byte signatures from Endpoint Detection and Response (EDR) systems, specifically targeting Windows Defender. They developed a Python tool to minimize binaries into the smallest possible signature, identifying 130 unique signatures that were then manually embedded into legitimate files to test the vulnerability.
Several attack vectors were demonstrated, such as remote deletion of web server logs, local mailbox files in Mozilla Thunderbird, and Windows event log files. The researchers also showed how Windows Defender could be tricked into deleting its own detection logs, a process they referred to as “self-cannibalism.”
Microsoft released a fix for CVE-2023-24860 in response to the researchers’ initial report, but SafeBreach found the fix to be incomplete. Further research led to the discovery of CVE-2023-36010, a bypass to the initial fix. While some attack vectors were patched, others remained exploitable. Microsoft made improvements to reduce the risk of false positives and data loss, allowing customers to configure Defender to quarantine all remediation actions by default.
It is essential for organizations to stay informed about advanced cyber threats and deploy necessary safeguards to protect their systems from potential vulnerabilities in security software like Windows Defender.
