Microsoft shuts down Defender leak discovered by Google again
Tavis Ormandy, security researcher at Google’s Project Zero, has found another leak in Windows Defender’s underlying anti-malware engine. Microsoft has closed the leak, according to the researcher.
Ormandy reports that he found this vulnerability using a fuzzer in Windows’ Malware Protection Engine, or MsMpEng. Using a fuzzer, a program can be automatically provided with arbitrary data or partially valid inputs. This makes it possible to determine whether the program reacts in an unexpected way, for example by crashing. In this way Ormandy found a heap corruption in an api, which he believes constitutes a ‘powerful incentive for an exploit’. It wouldn’t be difficult to use it.
According to the security researcher, Microsoft has patched the vulnerability, CVE-2017-8558, in version 1.1.13903.0 of the engine. Ormandy has found leaks in Defender twice before, in early and late May. The engine, which forms the basis of Security Essentials and Endpoint Protection in addition to Defender, is equipped with a full x86 emulator, which has no sandbox, is enabled by default and can be accessed remotely by attackers. Based on his current finding, Ormandy suspects that the vulnerable api has never been subjected to fuzzing.