Facepalm: A critical bug in Windows Defender was not detected by attackers and defenders for about 12 years, before it was finally fixed last fall. The vulnerability in Microsoft’s built-in antivirus software could have allowed hackers to overwrite files or execute malicious code – if the bug had been found.
Let’s be clear – 12 years is a long time when it comes to the lifecycle of a mainstream operating system, and it is a long time for such a critical vulnerability to hide. Part of the reason for this may be because the bug in question does not actively exist on a computer’s storage – instead, it exists on a Windows system called a “dynamic link library”. Windows Defender loads this driver only when necessary, before deleting it from your computer’s disk.
Wired explains, “When the driver removes a malicious file, it replaces it with a new and benign one as a kind of placeholder during the fix. But the researchers found that the system does not specifically scan this new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even execute malicious code. “
Researchers at security firm SentinelOne discovered and reported the flaw last fall, which was later corrected.
Microsoft initially classified the vulnerability as “high”, although it is important to note that for an attacker to take advantage of the bug, they would need access – physical or remote – to your computer. Most likely, this means that additional exploits would likely need to be deployed.
Both Microsoft and SentinelOne also agree that there is no evidence that the bug now fixed has been exploited maliciously. And SentinelOne is keeping the details of the vulnerability under its hat to prevent hackers from taking advantage of the bug while the patch is being implemented.
A Microsoft spokesman said that anyone who installed the February 9 patch, either manually or through automatic updates, is protected.