Researchers have discovered major flaws in Microsoft and Kaspersky security products. They claim that Windows Defender can be tricked into deleting databases. Even worse, the exploit can be activated remotely and possibly allow attackers to delete files and applications from afar. Spooky indeed.
As first reported by The Register, cybersecurity outfit SafeBreach discussed its findings during the Black Hat Asia conference in Singapore. The team asserts that the hole could remain exploitable even if both vendors claim to have patched the problem.
SafeBreach’s VP of Security Research, Tomer Bar, and security researcher Shmuel Cohen discovered that both Windows Defender and Kaspersky’s Endpoint Detection and Response (EDR) can be manipulated to detect ‘fake’ malicious files. These files can then be used to affect an entire database and delete it.
The attack relies on the fact that both companies use byte signatures to detect malware. Byte signatures are unique sequences of bytes in file headers. “Our goal was to confuse EDR by implanting malware signatures into legit files and make them think it’s malicious,” explained the experts.
It was just a matter of finding a byte signature associated with malware on the platform VirusTotal. Then, the bad actors create a new user that includes this signature and inserts it into a database. Just detecting this ‘false’ positive in the database is enough for EDR to perceive it as dangerous, deleting the entire thing as a precautionary measure. Hackers could use this exploit to brick applications and critical Windows services, making it a very dangerous tool.
Filling the holes
When made aware of the exploit, Kaspersky claimed the issue was not a security vulnerability. “The product’s behaviour is more driven by design,” said the vendor. Fortunatetly, it did concede that it has plans to implement some improvements to help mitigate the issue. Cohen said he has tested these claims and has found that the mitigations seem to work. However, he does not guarantee the patches cannot be bypassed.
The exploit similarly affects Windows Defender and Microsoft-associated products like Azure Cloud. The researchers chose not to test the vulnerability on the cloud-based service because the potential consequences are far too damaging. Instead, SafeBreach reported its findings to Microsoft in January 2023. Microsoft acknowledged the potential flaw as CVE-2023-24860 and issued a subsequent patch.
Of course, the researchers did not stop there. They claimed that patches from both companies were merely surface-level fixes. Since Microsoft’s products are far-reaching, the team chose to focus its efforts there. By December 2023, the experts yet again managed to bypass the initial patch and trigger the exploit. This time, Microsoft was unphased and claimed that the bypass only worked on already compromised endpoints.
The duo have, therefore, concluded that remote deletion vulnerabilities are especially difficult to fix when the security controls rely on byte signature detection. Cohen commends Microsoft for being amenable and collaborative, but he argues that the flaw is deeply rooted inside Defender, and the only way to fix the issue entirely would require a total product redesign.