Microsoft downplays alarm over Windows Defender 'flaw' Security researchers have uncovered what they believe is a vulnerability that allows malware to completely bypass Windows Defender. Microsoft dismissed the report as of "limited practical applicability" in practice (i.e. a low-risk threat). The team at CyberArk Labs nonetheless claims the security shortcoming could impact tens …
There are some very good ones, then some just seem to be little more than click bait generators.
If you do this and this, then this, ignore this, grant admin to this, ignore 10 warnings, and do this, sit at the pc and this, then this, be a domain admin and then click and ignore this, then you can "Wow Hack the PC!"
I agree. This is far into the theoretical, as it assumes an utter neglect for all warning - one is maybe acceptable, but ignoring all warnings ventures into the implausible. I don't think it's a concern.
It's basically saying that if you let a complete stranger into the house and then leave him or her alone with your wallet after watching a wanted notice for them on TV, there's a chance that you may be short of a few quid when they leave. Well, duh - most people I know don't exactly struggle to avoid that situation, even without explicit warning.
Genuinely nothing to see here, please move along.
"This is far into the theoretical, as it assumes an utter neglect for all warning - one is maybe acceptable, but ignoring all warnings ventures into the implausible"
You've never seen users just clicking boxes to make them disappear then? Most people don't even read them, just click OK to get it off the screen.
This looks the equivalent of complaining to Microsoft that it's their fault the user can manually install malware if they do everything possible to prevent the system from stopping it...
Yeah, it's possible to do a lot of things if you deactivate the security, manually install a virus, give it admin privileges to run, etc. As much as I like Windows bashing, this Security Researcher sounds like an attention whore.
"As much as I like Windows bashing, this Security Researcher sounds like an attention whore."
CyberArk have prior form in that area, tbh - I can recall at least two other 'security bugs' they've found which were beyond ridiculous. One required the attacker to already have admin access to the box, which rather leaves you wondering what they were going to use the flaw to do.
If you run Windows then your incoming network traffic will be endless Windows updates, and your outgoing traffic will be all your documents winging their way to Microsoft’s telemetry servers, and then on to ad agencies worldwide. No spare bytes on the line for rogue SMB queries.
My guess is that even if it hooks CreateProcess(), it will later use file functions separately to open and read the file. If you can spot who is asking to read the file, and pass different data. it will work.
Otherwise the data loaded by CreateProcess() should be first sent to the AV - but CreateProcess() may not read the whole file - i.e. resources may be loaded on-demand by application code, thereby an antimalware solution may need to read the file separately anyway.
Of course it's much easier to perform the trick on SMB than locally (you would have rootkitted the local machine already to perform that).
Hooking these calls in other processes is something that would require admin privileges, and if its against a built-in app (explorer, etc), would have to disable something (can't remember what its called) to work still... Chances are, if you're that far in, you don't need to get around defender any more
So, users have to click through a boatload of warnings to make it happen?
Hmm... I've known users who are worse.
Case in point: a user calls me (DBA, at the time) directly, bypassing helpdesk, screaming because he can't print. Yes, he's logged in. Yes, he can open the print queue. It says "offline - error". What am I going to about it?
So I ask if he has checked to see if the printer is plugged in.
Well yes it is. But there's smoke coming out of it, would that cause a problem?
Since then, users have failed to surprise me.
Say a network is reasonably locked down but you have compromised one machine on that network, then you could run your own malicious SMB server that does this trick, without generating lots of messages (especially if the machine is something used a lot such as a document repository machine)
Mostly unrelated other than involving Defender and malware.
Just two days ago I opened Defender to update and run a full scan (as I usually do once a week to supplement the normal automated quick scans and the active scanning), anyone care to guess what happened when the update finished downloading?
Defender marked its own update as "Severe - Trojan:Win32/Vagger!rfn" and threw it into quarantine.
Yay me.
Rather than faff around I just formatted and reinstalled, I keep regular backups so nothing was lost and all was again well. To many this may seem an extreme reaction, but without knowing if the update was compromised or if Defender itself was compromised and hence quarantining any updates which might kill the infection I considered it the best course of action. Either way I am unimpressed with the security of Defender.
<quote>To be successful, an attacker would first need to convince a user to give manual consent to execute an unknown binary from an untrusted remote location. The user would also need to click through additional warnings in order to grant the attacker Administrator privileges</quote>
Isn't this the standard behaviour of most people? Absolutely nothing out of the ordinary as far I can tell.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
