One of the most dangerous things an app can do is process random files that could be from anywhere, and but that is exactly what an antivirus app needs to do, and sometimes when you stare into the abyss, the abyss stared back at you.
Such was the case just recently when Microsoft discovered that a specially crafted file could cause a memory corruption error when it is scanned by its Malware Protection Engine, used in both the consumer and enterprise version of its Windows Defender app. The malware was then able to execute code with LocalSystem privileges, which is pretty close to full admin.
Because files can be delivered in numerous ways to a PC, and they all have to be scanned by Defender, the vulnerability is very serious.
“There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user,” Microsoft explains.
“An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
Microsoft says the flaw (dubbed CVE-2017-11937) is however not being exploited in the wild and are pushing out a hotfix which should be automatically fetched and applied to Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, who all use the Malware Protection Engine.
You can read more about the vulnerability at Microsoft here.
Via The Register.com