Windows Defender could be tricked into deleting databases
Date:
Tue, 23 Apr 2024 11:24:58 +0000
Description:
Entire applications could be bricked remotely, but there is no
straightforward solution.
FULL STORY ======================================================================
Microsoft and Kasperskys security products can be tricked into deleting legitimate files. The flaw can be abused to brick entire applications.
This is according to cybersecurity researchers from SafeBreach, who discussed their findings during the Black Hat Asia conference in Singapore, The
Register reports.
However, not everyone agrees with the researchers, and while Microsoft did acknowledge their findings to some extent, it ultimately decided not to
pursue them any further. To patch or to rebuild
During the Black Hat Asia conference, the two researchers - Timer Bar and Shmuel Cohen - explained that the problem stems from the fact that both Microsoft and Kaspersky use byte signatures to detect malware. Byte signatures, The Register explains, are unique sequences of bytes in file headers, and should a hacker add them to a legitimate file, the security solutions will flag them as malicious.
In theory, hackers would be able to delete peoples files remotely. For example, they could register as a new user on a website and add the byte signature to their name. The signature would make it into the database, tricking the security program to delete the entire thing. In another example, an attacker could add the signature to a comment of a video.
All of this seems to be theoretical, because the potential consequence is so great that the researchers couldnt bring themselves to try it out:
"We thought: 'All Azure clouds are run with Microsoft products and Defender exists on Azure. We really thought that we can attack Azure cloud with this attack, but we were really scared to try it because we don't know the implication. We could really destroy a production database all over the
world, and this could be irreversible. So we were really scared to try to do it ourselves, The Register cited the researchers.
Initially, Microsoft acknowledged the findings. The vulnerability was registered under CVE-2023-24860, and patched in April last year. Kaspersky,
on the other hand, didnt release a patch because "the product's behavior is more driven by design." It was "planning some improvements to mitigate this issue," though.
The researchers didnt fully stop there. Both Kaspersky and Microsofts solutions worked at face level, but they wanted to dig deeper. They deemed Kaspersky not popular enough to warrant further investigation, so they
focused on Microsoft.
They managed to work around the initial patch, triggering the creation of CVE-2023-3601 in December last year. They tried again, apparently succeeding to bypass the fix, but this time - Microsoft wasnt phased, claiming that the bypass only works on already compromised endpoints.
A "bypass of a defense-in-depth security feature by itself does not pose a direct risk as an attacker must also have found a vulnerability that affects
a security boundary or they must rely on additional techniques such as social engineering to achieve the initial stage of a device compromise."
The researchers concluded that, in order to fully address this problem, Defender should be redesigned from the ground up. More from TechRadar Pro FBI says North Korean Lazarus group was behind huge crypto theft Here's a list of the best firewalls around today These are the best endpoint security tools right now
======================================================================
Link to news story:
https://www.techradar.com/pro/security/windows-defender-could-be-tricked-into- deleting-databases
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)