[German]Microsoft Defender attracted attention some time ago due to a vulnerability in Windows that allowed malware to query the folders left out by the antivirus. It now looks like Microsoft has quietly corrected this vulnerability, because administrator privileges are now required to access this information on Windows. However, it is probably not yet fixed on all Windows systems and it is also unclear whether the fix will come via Windows Update (February 2022 patchday) or via an update to Defender on Windows.
Advertising
Information disclosure vulnerability in Defender
I had noticed it, but had not picked it up separately on the blog. Microsoft Defender had a vulnerability that allowed malware on Windows to query folders left out by antivirus with standard user permissions.
The background: In Defender, folders can be specified that should be excluded from a virus scan. Security researchers then noticed that the list of locations excluded from the Microsoft Defender scan is unprotected and any local user can access it. These paths are managed in the registry under the following key:
HKLM\Software\Microsoft\Windows Defender\Exclusions
Clumsy permissions assignments allowed local users (anyone), regardless of their permissions, to query Defender registry entries.
Advertising
This allowed querying the paths that Microsoft Defender is not allowed to scan for malware or dangerous files (due to administrator defaults). Windows 10 (in the current versions 21H1 and 21H2) was affected, but not Windows 11. The colleagues at Bleeping Computer had picked this up in this article in mid-January 2022 and published more details. The vulnerability is said to have existed for eight years, according to this tweet.
Microsoft adjusts permissions
As part of undisclosed updates, Microsoft appears to have quietly fixed the Defender vulnerability in Windows outlined above by adjusting permissions. The following tweet from a security researcher addresses the issue. Administrator permissions are suddenly required to access registry entries.
It looks like the February 8, 2022 security updates have fixed this vulnerability. Security researcher Antonio Cocomazzi confirms this fix in his tweet. However, security researcher Will Dormann writes that this has not been fixed on all machines in his case.
The above tweets reflect the discussion. It is currently unclear to me whether the changes are implemented via Windows Update or via updates to the Defender scan engine under Windows. The colleagues from Bleeping Computer pulled the information together and have covered it in more details within this article.
Advertising