Security Experts:

Windows Defender Immune to AVGater Quarantine Flaw: Microsoft

A recently disclosed vulnerability that allows an attacker to abuse the quarantine feature of anti-virus products to escalate privileges doesn’t affect Windows Defender, Microsoft says.

Dubbed AVGater, the new attack method relies on a malicious DLL being quarantined by an anti-virus product and then abuses the security program’s Windows process to restore the file.

Because the anti-virus process typically has System permissions, the malicious file is written to a different location (such as the Program Files or Windows folders) than its initial folder, so it could run with higher privileges.

This is possible because of a type of file link called junction, which allows for the writing of the restored file anywhere on the hard drive on NTFS file systems. Now written to a folder from which a privileged Windows process is launched, the malicious DLL is executed first, due to how the operating system works.

“To exploit this vulnerability, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder,” Microsoft explains.

Discovered by Florian Bogner, information security auditor at Austria-based Kapsch, the bug was said to affect products from a large number of anti-virus makers. However, only Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point (ZoneAlarm) and Ikarus were named, as they have already patched the issue.

In a blog post, Microsoft underlines the fact that Windows Defender is not affected by the AVGater flaw, which requires a non-administrator-level account to perform a restore of a quarantined file.

According to Microsoft, the vulnerability represents a relatively old attack vector, but “Windows Defender Antivirus has never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine.”

The tech giant explains that this design feature was meant as a built-in protection and that the security application includes similar safety measures against other known user-account permissions vulnerabilities as well.

Related: Antivirus Quarantine Flaws Allow Privilege Escalation

Related: Security Product Flaws Allow Attackers to Compromise Systems

view counter