Google Project Zero Researcher Finds Bug In Windows Defender

A Google Project Zero security researcher discovered a way to exploit how Windows Defender scans RAR archive files. All Windows versions are vulnerable to this bug.

An UnRAR Bug In Windows Defender

Project Zero researcher Thomas Dullien inspected Windows Defender’s mpengine.dll and discovered that the code responsible for processing RAR archive files was based on a modified version of the open source UnRAR software. Microsoft’s fork appears to be a version older than or equal to UnRAR 4.2.4, which is more than five years old.

According to Dullien, Microsoft’s modifications to the code turned all signed variables into unsigned, which introduced a severe memory corruption vulnerability that allows attackers to exploit the host operating system.

The Windows Defender bug seems to be related to a bug in a 2012 version of UnRAR that likely remained unfixed as Microsoft ported it to its antivirus engine. The same bug should affect other third-party software with old UnRAR code integrated.

Last year, Dullien alerted the RAR Labs developers about the bug found in UnRAR, and the RAR developers fixed the issue in UnRAR version 5.5.5. However, as Microsoft has continued to use an older version of UnRAR, its antivirus remained affected.

Windows Defender Users Must Update

Attackers who have known about the UnRAR bug since 2012 could have been exploiting Windows users all this time. Users with Windows Defender real-time protection enabled could have been exploited via specially crafted web pages or email attachments and cloud-hosted files.

Microsoft advised users to verify that they have the latest Windows updates. The Microsoft Malware Protection Engine version needs to be 1.1.13704.0 or later.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • justin.m.beauvais
    So, no "Windows Defender is unusable and Microsoft's value is zero!"? I thought that was how we did things now. /sarcasm

    It seems odd to me that a company that uses someone else's source code doesn't update to newer code when it becomes available. It isn't like Microsoft had to develop the new code/fixes. All they had to do was integrate it. This stinks of cost savings and/or laziness.
    Reply
  • dextermat
    Do bare minimum, wait for problems to come up, let user get screwed, patch up, rince and repeat. Tis a sad day for users.
    Reply
  • lperreault21
    20861731 said:
    So, no "Windows Defender is unusable and Microsoft's value is zero!"? I thought that was how we did things now. /sarcasm

    It seems odd to me that a company that uses someone else's source code doesn't update to newer code when it becomes available. It isn't like Microsoft had to develop the new code/fixes. All they had to do was integrate it. This stinks of cost savings and/or laziness.

    They will have no choice but to file for bankruptcy ;)
    Reply