Microsoft has integrated Windows Defender into its Windows operating system for a long time. Recently, the software giant patched a vulnerability in Windows Defender that had been undetected for 12 years. The bug was first spotted by security researchers last fall. Thankfully, hackers hadn’t discovered the bug for over a decade.
Researchers at security company SentinelOne discovered the flaw in a driver that Windows Defender, now known as Microsoft Defender, used to delete invasive files and infrastructure created by malware. When this particular driver removed malicious files, it replaced the file with a new placeholder file during its repair. Security researchers discovered the system didn’t specifically verify the new file.
Since the new file was unverified, attackers could insert strategic system links directing the driver to overwrite the wrong file or run malicious code. Microsoft’s protection software could have been harnessed for all manner of nefarious tasks by attackers with the flaw in place. An attacker exploiting this flaw could have deleted software or data and directed the driver to run their code to take over the computer.
A researcher at SentinelOne says that the bug allowed privilege escalation. That means software running with low privileges could elevate those privileges to administrator level and compromise the computer. The bug was first reported to Microsoft in mid-November 2020, and a patch was released last Tuesday.
Microsoft considered the vulnerability a “high” risk. However, it can only be exploited if the attacker already had access to the target computer, either remote or physical. With remote or physical access to the target computer, it could be compromised, allowing access into the target device’s network without gaining access to privileged user accounts of administrators. As for how the bug stayed hidden from security researchers and hackers alike for so long, the security researchers believe it was because the vulnerable driver isn’t stored on the computer hard drive full-time. Instead, it’s stored in the Windows dynamic-link library.