A Google Project Zero security researcher discovered a way to exploit how Windows Defender scans RAR archive files. All Windows versions are vulnerable to this bug.
An UnRAR Bug In Windows Defender
Project Zero researcher Thomas Dullien inspected Windows Defender’s mpengine.dll and discovered that the code responsible for processing RAR archive files was based on a modified version of the open source UnRAR software. Microsoft’s fork appears to be a version older than or equal to UnRAR 4.2.4, which is more than five years old.
According to Dullien, Microsoft’s modifications to the code turned all signed variables into unsigned, which introduced a severe memory corruption vulnerability that allows attackers to exploit the host operating system.
The Windows Defender bug seems to be related to a bug in a 2012 version of UnRAR that likely remained unfixed as Microsoft ported it to its antivirus engine. The same bug should affect other third-party software with old UnRAR code integrated.
Last year, Dullien alerted the RAR Labs developers about the bug found in UnRAR, and the RAR developers fixed the issue in UnRAR version 5.5.5. However, as Microsoft has continued to use an older version of UnRAR, its antivirus remained affected.
Windows Defender Users Must Update
Attackers who have known about the UnRAR bug since 2012 could have been exploiting Windows users all this time. Users with Windows Defender real-time protection enabled could have been exploited via specially crafted web pages or email attachments and cloud-hosted files.
Microsoft advised users to verify that they have the latest Windows updates (opens in new tab). The Microsoft Malware Protection Engine version needs to be 1.1.13704.0 or later.