Slashdot Mirror


Microsoft Modifies Open-Source Code, Blows Hole In Windows Defender (theregister.co.uk)

An anonymous reader quotes a report from The Register: A remote-code execution vulnerability in Windows Defender -- a flaw that can be exploited by malicious .rar files to run malware on PCs -- has been traced back to an open-source archiving tool Microsoft adopted for its own use. The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) in Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. This update should be installed, or may have been automatically installed already on your device. The vulnerability can be leveraged by an attacker to achieve remote code execution on a victim's machine simply by getting the mark to download -- via a webpage or email or similar -- a specially crafted .rar file while the anti-malware engine's scanning feature is on. In many cases, this analysis set to happen automatically.

When the malware engine scans the malicious archive, it triggers a memory corruption bug that leads to the execution of evil code smuggled within the file with powerful LocalSystem rights, granting total control over the computer. The screwup was discovered and reported to Microsoft by legendary security researcher Halvar Flake, now working for Google. Flake was able to trace the vulnerability back to an older version of unrar, an open-source archiving utility used to unpack .rar archives. Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

2 of 71 comments (clear)

  1. GPL Violation? by hackel · · Score: 1, Flamebait

    It seems like the bigger story here is that Microsoft has included code from the GPL-licensed unrar in their Windows Defender product, without releasing the full source code as required by the license agreement. Am I missing anything? The FSF needs to go after them for this!

  2. H1B company top to bottom by Eravnrekaree · · Score: -1, Flamebait

    This is what you get when you have globalist anti-american social justice hiring practices with an H1B third world CEO and H1B programmers, and refusing to hire articulate and talented American talent, third world programmer == third world code. Instead of fanatical American geeks who love what they do, you have degree mill poorly paid third world programmers who work for peanuts. When you come from a third world country with open defecation they have a very low standard of what excellence is to begin with, so you end up with poorly paid workers producing poorly designed, garbage code. This is a "success" compared with the standards of their originating country.