Cybersecurity professionals from SafeBreach have disclosed a series of critical vulnerabilities in Windows Defender that allow remote attackers to delete files on computers, potentially causing significant data loss and system instability. These vulnerabilities were presented by Tomer Bar and Shmuel Cohen at the Black Hat conference. Their investigation began with an attempt to induce false positives in security systems, which led to the discovery of the vulnerability CVE-2023-24860. This flaw makes it possible to remotely delete important files on both Windows and Linux servers without needing authentication, and to circumvent several layers of security on fully updated servers.
The research method employed by the SafeBreach team involved using a black box approach to decipher byte signatures from Endpoint Detection and Response (EDR) systems, focusing particularly on Windows Defender. They developed a Python tool designed to reduce binaries to their smallest possible effective signatures, discovering 130 unique signatures in the process. These were then manually embedded into legitimate files to test the effectiveness of the vulnerability, demonstrating various ways in which these flaws could be exploited.
During their demonstrations, the SafeBreach team showed multiple attack vectors, such as the remote deletion of web server logs, local mailbox files in Mozilla Thunderbird, and Windows event log files. A significant demonstration included tricking Windows Defender into deleting its own detection logs, a scenario they described as “self-cannibalism.” Despite Microsoft releasing a fix for CVE-2023-24860, SafeBreach noted that the patch was insufficient and only mitigated the vulnerability to the level of a “moderate DOS,” leaving several attack vectors still open.
Further research by SafeBreach led to the discovery of CVE-2023-36010, a bypass to the initial CVE-2023-24860 fix. While Microsoft acknowledged the issue and stated improvements had been made to reduce false positives and data loss, the researchers identified additional methods to bypass the patch. These methods involved manipulating MySQL storage engines and file formats. Meanwhile, Microsoft also enhanced Windows Defender by allowing users to set it to quarantine all remediation actions by default, attempting to offer users a safer computing environment despite the lingering vulnerabilities.