Microsoft Defender Antivirus is the default anti-malware solution on over 1 billion systems running Windows 10 according to Microsoft's statistics. Microsoft has fixed a privilege escalation vulnerability in Microsoft Defender Antivirus that could allow attackers to gain admin rights on unpatched Windows systems.
“This bug allows privilege escalation,” says Kasif Dekel, senior security researcher at SentinelOne. “Software that's running under low privileges can elevate to administrative privileges and compromise the machine.”
Undetected for more than a decade
The vulnerability was discovered in the BTR.sys driver (also known as the Boot Time Removal Tool) used during the remediation process to delete files and registry entries created by malware on infected systems.
SentinelOne and Microsoft agree there is no evidence that the flaw was discovered and exploited prior to the researchers' analysis. And SentinelOne is withholding specifics on how the attackers could leverage the flaw to give Microsoft's patch time to proliferate. Now that the findings are public, though, it's only a matter of time before bad actors figure out how to take advantage. A Microsoft spokesperson noted that anyone who installed the February 9 patch, or has auto-updates enabled, is now protected.
The researchers hypothesize that the bug stayed hidden for so long because the vulnerable driver isn't stored on a computer's hard drive full-time, like your printer drivers are. Instead, it sits in a Windows system called a “dynamic-link library,” and Windows Defender only loads it when needed. Once the driver is done working, it gets wiped from the disk again.
The CVE-2021-1647 security update will install automatically on systems running vulnerable Microsoft Defender versions if automatic updates are enabled. Microsoft Defender automatically updates both the Malware Protection Engine and malware definitions on enterprise and home devices.
