{"id":23346,"date":"2022-02-11T12:03:36","date_gmt":"2022-02-11T11:03:36","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=23346"},"modified":"2022-11-04T11:49:58","modified_gmt":"2022-11-04T10:49:58","slug":"microsoft-fixt-wohl-heimlich-schwachstelle-im-defender-unter-windows","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/02\/11\/microsoft-fixt-wohl-heimlich-schwachstelle-im-defender-unter-windows\/","title":{"rendered":"Microsoft probably secretly fixes vulnerability in Defender under Windows"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Windows\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/02\/11\/microsoft-fixt-wohl-heimlich-schwachstelle-im-defender-unter-windows\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Microsoft Defender attracted attention some time ago due to a vulnerability in Windows that allowed malware to query the folders left out by the antivirus. It now looks like Microsoft has quietly corrected this vulnerability, because administrator privileges are now required to access this information on Windows. However, it is probably not yet fixed on all Windows systems and it is also unclear whether the fix will come via Windows Update (February 2022 patchday) or via an update to Defender on Windows. <\/p>\n<p><!--more--><\/p>\n<h2>Information disclosure vulnerability in Defender<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg04.met.vgwort.de\/na\/f0cb3237c8634c6a9184b41f950c11aa\" width=\"1\" height=\"1\">I had noticed it, but had not picked it up separately on the blog. Microsoft Defender had a vulnerability that allowed malware on Windows to query folders left out by antivirus with standard user permissions. <\/p>\n<p>The background: In Defender, folders can be specified that should be excluded from a virus scan. Security researchers then <a href=\"https:\/\/twitter.com\/splinter_code\/status\/1481073265380581381\" target=\"_blank\" rel=\"noopener\">noticed<\/a> that the list of locations excluded from the Microsoft Defender scan is unprotected and any local user can access it. These paths are managed in the registry under the following key: <\/p>\n<p>HKLM\\Software\\Microsoft\\Windows Defender\\Exclusions<\/p>\n<p>Clumsy permissions assignments allowed local users (anyone), regardless of their permissions, to query Defender registry entries. <\/p>\n<p><a href=\"https:\/\/twitter.com\/splinter_code\/status\/1481073265380581381\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Microsoft Defender flaw\" alt=\"Microsoft Defender flaw\" src=\"https:\/\/i.imgur.com\/KmsPqRK.png\"><\/a><\/p>\n<p>This allowed querying the paths that Microsoft Defender is not allowed to scan for malware or dangerous files (due to administrator defaults). Windows 10 (in the current versions 21H1 and 21H2) was affected, but not Windows 11. The colleagues at Bleeping Computer had picked this up in <a href=\"https:\/\/web.archive.org\/web\/20221026105236\/https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-defender-weakness-lets-hackers-bypass-malware-detection\/\" target=\"_blank\" rel=\"noopener\">this article<\/a> in mid-January 2022 and published more details. The vulnerability is said to have existed for eight years, according to <a href=\"https:\/\/twitter.com\/SecurityAura\/status\/1481107646082072577\" target=\"_blank\" rel=\"noopener\">this tweet<\/a>.&nbsp; <\/p>\n<h2>Microsoft adjusts permissions<\/h2>\n<p>As part of undisclosed updates, Microsoft appears to have quietly fixed the Defender vulnerability in Windows outlined above by adjusting permissions. The following <a href=\"https:\/\/twitter.com\/SecGuru_OTX\/status\/1491708672027901955\" target=\"_blank\" rel=\"noopener\">tweet<\/a> from a security researcher addresses the issue. Administrator permissions are suddenly required to access registry entries.&nbsp; <\/p>\n<p><a href=\"https:\/\/twitter.com\/SecGuru_OTX\/status\/1491708672027901955\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Defender vulnerability fixed?\" alt=\"Defender vulnerability fixed?\" src=\"https:\/\/i.imgur.com\/72ihM4d.png\"><\/a><\/p>\n<p>It looks like the February 8, 2022 security updates have fixed this vulnerability. Security researcher Antonio Cocomazzi confirms this fix in <a href=\"https:\/\/twitter.com\/splinter_code\/status\/1491777485457039363\" target=\"_blank\" rel=\"noopener\">his tweet<\/a>. However, security researcher Will Dormann <a href=\"https:\/\/twitter.com\/wdormann\/status\/1491805838293540864\" target=\"_blank\" rel=\"noopener\">writes<\/a> that this has not been fixed on all machines in his case.&nbsp; <\/p>\n<p><a href=\"https:\/\/twitter.com\/wdormann\/status\/1491805838293540864\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Defender vulnerability fixed?\" alt=\"Defender vulnerability fixed?\" src=\"https:\/\/i.imgur.com\/Z2wOl9m.png\"><\/a><\/p>\n<p>The above <a href=\"https:\/\/twitter.com\/wdormann\/status\/1491805838293540864\" target=\"_blank\" rel=\"noopener\">tweets<\/a> reflect the discussion. It is currently unclear to me whether the changes are implemented via Windows Update or via updates to the Defender scan engine under Windows. The colleagues from Bleeping Computer pulled the information together and have covered it in more details within <a href=\"https:\/\/web.archive.org\/web\/20220418040338\/https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-fixes-defender-flaw-letting-hackers-bypass-antivirus-scans\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft Defender attracted attention some time ago due to a vulnerability in Windows that allowed malware to query the folders left out by the antivirus. It now looks like Microsoft has quietly corrected this vulnerability, because administrator privileges are now &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/02\/11\/microsoft-fixt-wohl-heimlich-schwachstelle-im-defender-unter-windows\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,2],"tags":[646,773,69,194],"class_list":["post-23346","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-windows","tag-antivirus","tag-defender","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23346","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=23346"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23346\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=23346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=23346"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=23346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}