back to article 'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines. A particularly nasty security flaw exists in Redmond's anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint …

  1. Anonymous Coward
    Pint

    Black hats go to the bar on Friday night too, you know.

    1. Pompous Git Silver badge

      "Black hats go to the bar on Friday night too, you know."
      There you go! And I thought they were called to the bar ;-)

      1. IanRS

        You called, m'Lud?

        Lawyers are called to the bar. Lowlifes are placed at the bar. Sometimes you can tell the difference.

    2. TheVogon Silver badge

      "An easy way for attackers to exploit the scanner bug would be to send malicious malware-laden files to a victim as an attachment on an email or instant message, or an automatic download from a webpage, which would be automatically scanned on arrival – and trigger an infection."

      Not clear how this would be wormable ? Seems to require user interaction, or a known target - e.g. email address.

      1. Anonymous Coward
        Anonymous Coward

        Not clear how this would be wormable ?

        From the bug report, it seems anything that can get itself written to the file system could be a vector. So you have a mail or IM client running, it downloads an infected message, which is scanned before you even see it, and you're infected. The nice thing about email or IM as a vector is that every infected target contains a handy list of other potential targets.

        1. TheVogon Silver badge

          Re: Not clear how this would be wormable ?

          "From the bug report, it seems anything that can get itself written to the file system could be a vector. So you have a mail or IM client running, it downloads an infected message,"

          But you would still need the right email / IM user name / address?

          1. Mikel

            Re: Not clear how this would be wormable ?

            Outlook receives an email and writes it to disk before evaluating it. It is the disk write itself that triggers the scan that parses the JavaScript in a System process by an unrelated system.

            1. TheVogon Silver badge

              Re: Not clear how this would be wormable ?

              "Outlook receives an email and writes it to disk before evaluating it"

              Outlook only downloads emails for it's configured mailboxes on specific email servers. A "worm" would still need to know where to send an email.... So not really wormable it seems.

              1. Kiwi Silver badge
                WTF?

                Re: Not clear how this would be wormable ?

                Outlook only downloads emails for it's configured mailboxes on specific email servers. A "worm" would still need to know where to send an email.... So not really wormable it seems.

                Given the lack of understanding of something as basic email by one of MS's most virulent shills, is it no wonder their basic approach to security also shows such an incredible lack of understanding?

                (But kudos to the team who did get the patch out quickly; MS - that is how it should be done with flaws of this nature!)

                #WishIwasreadingthisacoupleofweeksago

          2. Anonymous Coward
            Anonymous Coward

            Re: Not clear how this would be wormable ?

            "But you would still need the right email / IM user name / address?"

            Yes. As long as you've never given your email or IM address to anyone else, you should be safe.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not clear how this would be wormable ?

              "Yes. As long as you've never given your email or IM address to anyone else, you should be safe."

              Sure, but you have to be targeted from source data. It's not possible to create an infect everything worm like say slapper.

  2. Anonymous Coward
    Anonymous Coward

    Well if it gets wormed, hopefully a) it will be after an in cycle patch is released, and b) someone will get it to wipe the disks on all the still connected unsupported Windows OS versions out there that are no longer patched, and should have been upgraded years ago...

    1. Planty Bronze badge
      FAIL

      Use Windows 10 is not a solutions, it's more lame horseshit from Microsoft trying to force people to use something that don't want.

      Windows10 is just as vulnerable as everything else. The scanner executes executables rather than scanning executables...

  3. Florida1920
    Paris Hilton

    Use Windows 10 for the best protection

    From whom?

    1. VinceH

      Re: Use Windows 10 for the best protection

      Well, this time last year I would have answered that question with "from Microsoft"

      Because if you were running Windows 10, Microsoft wouldn't have tried foisting Windows 10 on you without permission.

      Not sure what the correct answer is now, though!

      1. Chemical Bob

        Re: Use Windows 10 for the best protection

        "Not sure what the correct answer is now, though!"

        The correct answer is 'Mostly, Windows 10 protects you from Mostly'.

        No, I don't know what it means either...

      2. Anonymous Coward
        Anonymous Coward

        Re: Use Windows 10 for the best protection

        Not sure what the correct answer is now, though!

        Avoiding it like the proverbial plague it is?

    2. Tom 7 Silver badge

      Re: Use Windows 10 for the best protection

      Sting vest condom - lightly ribbed for greater pain.

      1. GrapeBunch Silver badge

        Re: Use Windows 10 for the best protection

        Nothing says "I love you" better than the new Windows On-Off Condom. Now with nettles. It's organic.

  4. Anonymous Coward
    Windows

    So now we can only hope...

    Hope that those Windows 7 and 8 users see the need for this update and will also actually update their machines before it gets run over. Problem being that there are still dozens of users out there who no longer trust Microsoft not to try and push Windows 10 down their throats ...again.

    And this is only a flaw that we now know off, I'm pretty sure many will follow without hitting the news and without the fix finding its way to the affected machines. Because not updating your Windows 7 or 8 machine is the easiest (and thus best) way for many to ensure they're not forcefed with Windows 10.

    Congratulations Microsoft, for making the Internet a much more dangerous place. One step at a time.

    1. Pompous Git Silver badge

      Re: So now we can only hope...

      "there are still dozens of users out there who no longer trust Microsoft"
      Consequently they should be more likely to use better anti-malware than Security Essentials or whatever its title of the week is.

      1. Archtech Silver badge

        Re: So now we can only hope...

        "... they should be more likely to use better anti-malware than Security Essentials or whatever its title of the week is".

        Er, such as?

        1. Swarthy Silver badge
          Alert

          Re: So now we can only hope...

          Er, such as?
          Avast!, Avira, AVG, Comodo, ClamAV ... Basically Anything that isn't MS Security Essentials, McAffee (the software), or Norton.

          "Better than Security Essentials" is a fairly low bar to trip over.

      2. Tom Paine Silver badge

        Re: So now we can only hope...

        If you read the bug report you'll see that turning "Windows Defender" off doesn't save you.

        https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

      3. PNGuinn
        Facepalm

        Re: So now we can only hope... @PG

        "there are still dozens of users out there who no longer trust Microsoft"

        "there are still up to a dozen users out there who still trust Microsoft"

        FIFY

    2. Anonymous Coward
      Anonymous Coward

      Re: So now we can only hope...

      Why doesn't Microsoft honor it's responsibility rather than use this as an excuse to force people to move to windows 10 against their will?

      This is yet another problem that was present at time of purchase, if they are not going to fix it then they should refund the user's money and compensate them for their wasted time.

      An OS used to be supported for the life of the hardware it ran upon, if there were errors at the time of sale it was expected that they would be fixed free of charge or money returned.

    3. Steve Davies 3 Silver badge
      Terminator

      Re: So now we can only hope...

      Don't worry, refuseniks (windows 7/8/8.1 users) will soon be absorbed into the Borg than deploying updates like this won't be a problem as all Borg members are connected to the mothership 24/7/52.

      With everyone running Windows 10S and connected to MS every minute of the day and night they'll be able to correct, sorry erase problems like this in a flash.

      You will be made part of the collective unless... you can escape to the Underworld of Linux or MacOS.

    4. Archtech Silver badge

      Re: So now we can only hope...

      About 50 years ago, I learned that in linear programming you can only optimize one variable. A similar rule obtains in real life. If you really want to accomplish something you have to make it your top priority and ruthlessly subordinate everything else to it.

      The main reason for Microsoft's success has been that it has always observed that rule meticulously. The corporation's top priority, obviously, is maximizing long-term profit. As a result, it has brought in vast amounts of profit down the years.

      As a side effect, it has also neglected the interests of users - such as security. Implementing and maintaining good security is not only very expensive and time-consuming; it also militates against almost every other possible parameter of running a software business.

    5. Cuddles Silver badge

      Re: So now we can only hope...

      "Hope that those Windows 7 and 8 users see the need for this update and will also actually update their machines before it gets run over."

      From the article:

      "It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012."

      I'm not sure why anyone would still be using Windows 8, but those of us still using the last decent version of Windows don't seem to have so much of a problem.

      1. Tom Paine Silver badge

        Re: So now we can only hope...

        "It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012."

        I'm not sure why anyone would still be using Windows 8, but those of us still using the last decent version of Windows don't seem to have so much of a problem.

        Eh? Why not?

        https://technet.microsoft.com/en-us/library/security/4022344

        "Affected software:

        [...]

        Windows Defender for Windows 7 // Critical // Remote Code Execution

    6. Tom Paine Silver badge

      Re: So now we can only hope...

      Except that if you'd bothered the read the piece you're commenting on you'd see it updates itself automatically and independently from Windows Update.

    7. Stoneshop Silver badge
      Linux

      Re: So now we can only hope...

      Because not updating your Windows 7 or 8 machine is the easiest (and thus best) way for many to ensure they're not forcefed with Windows 10.

      Oh?

      1. Roland6 Silver badge

        Re: So now we can only hope...

        re: Oh?

        Agree, I suspect ShelLuser doesn't actually use Win7 or 8 and so is unaware that since last year MS stopped the Get Windows 10 Free offer and removed it from Windows Update.

        Certainly, since then, none of my Win7/8 systems has either flagged the presence of an OS upgrade or offered any inducement to upgrade. However, it did take a little effort and assistance from GWX Control Panel to avoid the forced free upgrade.

    8. Anonymous Coward
      Anonymous Coward

      there are still dozens of users out there who no longer trust Microsoft

      Dozens? Surely you exaggerate?

  5. Mikel

    Shocked! Shocked, I say!

    Who could have imagined?

  6. Christian Berger Silver badge

    The funny thing is...

    ... a large German blog on cyber security and other topics recently asked their readers to send them examples for malware scanners being used to spread malware. It's author was invited to a tour which includes panel sessions with an antivirus vendor....

    ...so the timing was rather good on this one.

  7. Hans 1 Silver badge

    Malware using the anti-virus engine to spread, CIH, anyone ? That thing infected each and every file on your drive when your anti-virus scanned the files.

    https://en.wikipedia.org/wiki/CIH_(computer_virus)

  8. LDS Silver badge

    Meanwhile MS is messing with Windows Update...

    Which is showing old IE patches and you don't understand if they've been reissued or not. Looks to be MS obsoleted some updates and broke the 'superseded by' chain.... I wonder who's in charge of updates now, some cousin of Nadella used to run Windows support scams?

    1. Adam 52 Silver badge

      Re: Meanwhile MS is messing with Windows Update...

      I'm not sure that the racism implicit in your comment is entirely appropriate. There are plenty of reasons to criticise Nadella's strategy at Microsoft but the implication that just because he was born in India he must be involved with scams originating in India seems low. Unless, of course, you have evidence that one of his cousins is running a support center scam.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile MS is messing with Windows Update...

        Er no Adam, you are the one who mentioned India and I am fairly certain everyone agrees that Nadella was doing exactly what he was paid to do.

        1. uncommon_sense
          WTF?

          Re: Meanwhile MS is messing with Windows Update...

          <Nadella was doing exactly what he was paid to do.>

          Running MS into the ground?

          Are you saying that Apple is paying him?

          1. Anonymous Coward
            Anonymous Coward

            Re: Meanwhile MS is messing with Windows Update...

            "<Nadella was doing exactly what he was paid to do.>

            Running MS into the ground? "

            Microsoft have been trying to move to as a service for years, they got in a guy who did exactly what they wanted him to do. I am sure it would be nice to blame him for everything but the fact is that history is against it.

            That he has an Indian name again has nothing to do with it, he was just another MS employee following orders

      2. Archtech Silver badge

        Re: Meanwhile MS is messing with Windows Update...

        Are Indians then the only people who have cousins? If so, why was I not told before?

        1. teknopaul Silver badge

          Re: Meanwhile MS is messing with Windows Update...

          no, but, I know indians that use the term cousin for first second and third cousins once twice or thrice removed, so a use it a lot more than other English speakers.

          Pretty clear that is what was being referred to, and its use above clearly snide/racist and certainly out of place on this forum.

  9. LDS Silver badge

    "you have evidence that one of his cousins is running a support center scam"

    Given the way MS had tried to install Windows 10 on the machines of unsuspecting users, I'd say that's highly probable. Same modus operandi.

  10. Captain Badmouth
    Windows

    Plus ça change...

    "If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your o/s"

    FTFY Natalie.

    Where's the Trump icon for tweet related posts?

    Never mind, this Trump voter icon will have to do...

    1. GrapeBunch Silver badge
      Pint

      Re: Plus ça change...

      By the power vested in me by nobody, as Queen of Canada, I now pronounce you Admiral Badmouth. Kindly get your bad mouth around this India Pale Ale.

  11. Mystic Megabyte Silver badge
    Linux

    No chance here :(

    My only Windows installation (Win8) stubbornly refuses to download the 1.8GB of updates it advises. Fortunately for me, I never use it.

  12. Anonymous Coward
    Anonymous Coward

    It's been patched and rolled out.

    ...latest update closes the issue.

    1. AlbertH
      Linux

      Re: It's been patched and rolled out.

      It might fix that one, but there will be plenty more where that came from!

    2. uncommon_sense
      Windows

      Round And Round We Go...

      <...latest update closes the issue.>

      Until the next time.

      With the new patching system it is assured that new bugs are delivered together with patches for the old ones. The circus continues...

  13. Anonymous Coward
    Anonymous Coward

    Too true

    "Over the years we've seen multiple examples of organizations getting word of flaws and dragging their feet for months, or even years, before fixing issues that malware developers may already have spotted."

    <Cough> 5 years Google docs flaw</cough>

    1. RyokuMas Silver badge
      Facepalm

      Re: Too true

      "<Cough> 5 years Google docs flaw</cough>"

      Won't stop the usual knee-jerk though.

      1. dlc.usa
        Facepalm

        Re: Too true

        <cough>Intel AMT authentication</cough> (if you believe SemiAccurate)

    2. Planty Bronze badge
      FAIL

      Re: Too true

      fixed and deployed in 1hr....

  14. poohbear

    Words fail me. How does a program designed to READ data decide to execute it?

    1. joeldillon

      I suggest you google 'buffer overflow'.

      1. Boris the Cockroach Silver badge

        What?

        Surely you're shitting us with a buffer overflow bug?

        after all the times winxp/vista/win7 got patched/owned because of buffer overflow bugs?

        1. Anonymous Coward
          Anonymous Coward

          Re: What?

          "after all the times winxp/vista/win7 got patched/owned because of buffer overflow bugs"

          After all the times INSERT ANY OS OR COMMON APP NAME HERE got patched/owned because of buffer overflow bugs

          TFTFY.

  15. knottedhandkerchief

    "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible."

    Reactively, Shirley?

    1. Chika

      "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible."

      Reactively, Shirley?

      Of course. And don't call me... (Bloody Kentucky Fried Theatre!)

      "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

      We also recommend that we never miss an opportunity to plug our latest shitware.

  16. Anonymous Coward
    Anonymous Coward

    This Insane^w Inane Example Will Blow Your Mind

    "Crazy Bad"

    Christ, I hate "everyday bombast meets let's-convert-adverbs-to-adjectives" millennial speak.

    1. Anonymous Coward
      Anonymous Coward

      Re: This Insane^w Inane Example Will Blow Your Mind

      WUD U PREFR KITTEH SPEEK?

      WE NED KITTEH ICON!

  17. adam payne Silver badge

    "It is possible for hackers to craft files that are booby-trapped with malicious code, and this nasty payload is executed inadvertently and automatically by the scanner while inspecting the data. The injected code runs with administrative privileges, allowing it to gain full control of the system, install spyware, steal files, and so on."

    A malware scanner that executes code and infects the machine. Oh you couldn't make this up.

    1. patrickstar

      All "antivirus software" has vulnerabilities like this one... And they tend to run with very high privileges, too. Really great concept, or not.

    2. CrazyOldCatMan Silver badge

      A malware scanner that executes code and infects the machine. Oh you couldn't make this up.

      Which was pretty much my reaction..

      Reading more - it seems that there is a language interpreter (akin to Javascript) called NScript included in the anti-malware suite and it's that that can be compromised. Which is a whole other Set of Fail..

      1. GrapeBunch Silver badge
        Windows

        Diet of Write-Only Random Memories

        "Mommy, can I get syphilis from reading porn?" "Yes, Billy."

    3. Archtech Silver badge

      Francis Aloysius Xavier Murphy, at your service sor

      "Oh you couldn't make this up".

      Au contraire, it's merely a basic example of Murphy's Law at work. That kind of thing should be extremely familiar from the first week of Engineering 101.

  18. Anonymous Coward
    Anonymous Coward

    Micro$haft RearEnder more like.

  19. Anonymous Coward
    Anonymous Coward

    And yet ..

    .. people keep using Windows.

    1. uncommon_sense
      Holmes

      Re: And yet ..

      As long as much stuff only works on Windows, yes, since Adults need to Get Work Done. You may or may not be familiar with the concept..

      Try running a pile of lab gear on WankOS..!

  20. dm_dv
    Devil

    Re: Windows 10 for the best protection!

    Microsoft doesn't really seem to get it's own OS, there used to be alternatives, until they forced people to buy a shoddy product, because let's face it, Microsoft is all about "Revenue" in ad's and they still include "Bug's" in Windows, especially MSDOS. You can read about it on the Russian site called Multi-Boot.ru where you may also download a copy of MSDOS 8.0

    The Chinese came along with MSDOS 7.0

    The Free Software alternative FreeDOS provides even more fixes to what some people would call the malicious and deliberate error that people know as Windows!

    http://unix.derkeiler.com/Mailing-Lists/FreeBSD/hackers/2008-04/msg00071.html

  21. dm_dv
    Angel

    Loving the News.

    I'm kinda loving the news that the government, managed to single handedly piss-off nearly every single computer security guru and expert on the planet and they attacked the single source of there revenue stream's by attempting to "hack" into there own systems as maintained by DARPA!

    Why would anyone do that?

    That would be: Stupid

  22. dm_dv
    Linux

    Re: Windows 10 for the best protection

    Gnu/Linux can disable all of it's active services and open channels for communication, using TCP/IPSec Layers and Kerberos for strong authentication oh and it has the capability of turning invisible.

    Whats Windows 10's super power?

  23. Anonymous Coward
    Anonymous Coward

    "Crazy Bad" Just Seems So Judgemental

    What kind of behavior do you expect from a bug if you go hanging labels like that on it?

    We all tend to live up - or down - to expectations.

  24. Solly
    Facepalm

    Hmmm

    Surely you could flood it with possible usernames with a zero byte password to establish which usernames had valid accounts, and then step one byte at a time revealing the passwords...

  25. Howard Hanek Bronze badge
    Happy

    False Premise

    ....that 'Windows Defender' protects the customer. It protects Microsoft.

  26. Version 1.0 Silver badge

    I think I just found one of these

    I was looking at a Win 7 PC this morning that was exhibiting a lot of network activity but otherwise was hardly used - the user reported that it had been updating just fine and a regularly reported that it had been updated every week. But I completely failed to do a manual update and looking at the history the only thing that has been updated for a couple of months has been the Microsoft Security Essentials - at least that's what it "said" (MRD applies).

    The machine had no mail access and very little browsing activity - I've just nuked it - factory reset with no restore.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019