Windows Defender-Pretender Attack Dismantles Flagship Microsoft EDR


BLACK HAT USA – Las Vegas – Wednesday, Aug. 9: Among the 97 CVEs that Microsoft patched in April 2023 was a security feature bypass vulnerability that allows an unprivileged user to hijack Windows Defender and use it to wreak havoc on target systems.

Researchers at SafeBreach — who discovered similar vulnerabilities in security products previously — uncovered the issue with Windows Defender during an attempt take over the antivirus tool’s update process.

Hijacking the Update Process

The research goal was to verify if the update process could be used to sneak known malware into systems the software is designed to protect. Researchers also wanted to verify if they could get Windows Defender to delete signatures of known threats and worse, to delete benign files and trigger a denial-of-service condition on a compromised system.

Read more…