A Windows Defender vulnerability lurked undetected for 12 years

Shadowy figures stand beneath a Microsoft logo on a faux wood wall.

Enlarge (credit: Drew Angerer | Getty Images)

Adobe Flash hacking or the EternalBlue exploit for Windows, some methods are just too good for attackers to abandon, even if they’re years past their prime. But a critical 12-year-old bug in Microsoft’s ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don’t try to make up for lost time.

The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.

Read 8 remaining paragraphs | Comments