Microsoft modifies open source code and causes RCE flaw in Windows Defender

Security personnel traced back to Microsoft’s own open source archiving tool and found a remote code execution vulnerability in Windows Defender.

The bug CVE-2018-0986  has been fixed in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) for Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. It is now possible to update on your device.

An attacker can use this vulnerability to implement remote code operations on the user’s computer. The attacker can download the specially crafted .rar file only when the scanning function of the anti-malware engine is turned on. In many cases, the file download will be performed automatically.

When the malware engine scans the file, it triggers a memory corruption error, execution of malicious code, and complete control of the computer.

This vulnerability was discovered and reported to Microsoft by Google security researcher Halvar Flake. Flake was able to trace the vulnerability back to an earlier version of unrar, an open source archive tool for decompressing .rar files.

This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code. @halvarflake noticed and got it fixed. Remote SYSTEM memory corruption 😨 https://t.co/gsx9ZMk1Hz

— Tavis Ormandy (@taviso) April 4, 2018

Obviously, Microsoft distributed the unrar version and integrated this component into its operating system’s anti-virus engine. The forked code is then modified to convert its signed integer variables to unsigned variables, thereby triggering a chaining problem during mathematical analysis and comparison. This makes it easier to make software memory errors, and it can also cause antivirus packages to crash or allow malicious code to execute.

Source: theregister