Microsoft patches remote code execution flaw in Windows Defender

[CataclysmZA]

The 2 people that use Defender, will be really happy.

You'd be surprised, Defender is astonishingly good when you set it up correctly and take advantage of its cloud features. It's like Panda AV on steroids. The latest performance tests in AV-Comparative's benchmark ranked it very highly. I've never had to buy an AV since they launched Security Essentials.

 

[Adenoid Hynkel]

The 2 people that use Defender, will be really happy.

Is it not enabled by default on every windows 10 installation?

 

[Ho3n3r]

You'd be surprised, Defender is astonishingly good when you set it up correctly and take advantage of its cloud features. It's like Panda AV on steroids. The latest performance tests in AV-Comparative's benchmark ranked it very highly. I've never had to buy an AV since they launched Security Essentials.

It's rated one of the worst (maybe THE worst) out of all free versions. I've never spent a cent on an AV either - Defender is far from the only free option.

Is it not enabled by default on every windows 10 installation?

Being deactivated after a full 5 minutes of use before any free alternative is downloaded, can't really be classified as "being used".

 

[backstreetboy]

It's rated one of the worst (maybe THE worst) out of all free versions. I've never spent a cent on an AV either - Defender is far from the only free option.

That is probably ratings of the older Windows 7 release. Changelog of "Defender" in the new Windows 10 build rolling out next week:

"Windows Defender" has been renamed "Windows Security"
Windows Security now list protection areas and direct links to their pages in the Windows Defender Security Center including Virus & threat protection, Account protection, Firewall & network protection, App & browser control, Device security, Device performance & health and Family options

The previous five Windows 10 releases also had Defender updates and new functionality added.

 

[CataclysmZA]

That is probably ratings of the older Windows 7 release. Changelog of "Defender" in the new Windows 10 build rolling out next week

AV-Comparatives was accused of bias in 2015 when they changed their methodology sometime between build 10240 and 10586, which saw Defender tank badly in their tests and perform the worst out of any of the free AVs available. This is the first test where Defender has returned to being competitive, IIRC.

 

[sajunky]

AV-Comparatives was accused of bias in 2015 when they changed their methodology sometime between build 10240 and 10586, which saw Defender tank badly in their tests and perform the worst out of any of the free AVs available. This is the first test where Defender has returned to being competitive, IIRC.

There was long-time Microsoft smearing campain against other antivirus solutions starting circa 2015. As an example, there is a link to the article citing specifically "all antivirus programs are bad, except Defender": https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/

A big blow for Defender is recorded in March/May 2017: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.

There is no reason to believe that mpengine (NScript) should run in NT System Authority. Microsoft has fixed this bug only after it had been published, a partial fix indeed, as the same story (a similar backdoor) came back in December 2017. Backdoors of this type have so serious nature that industry started to dispute whether it is better to not have any antivirus at all (unfortunately impossible on Windows 10). See: https://arstechnica.com/information...indows-defender-nscript-remote-vulnerability/

Microsoft response came soon forcing compliance on the third-party antivirus programs to conform to a new (restricted) antivirus API. In result of API changes Defender can now shine comparing to others.