A recently disclosed vulnerability that allows an attacker to abuse the quarantine feature of anti-virus products to escalate privileges doesn’t affect Windows Defender, Microsoft says.
Dubbed AVGater, the new attack method relies on a malicious DLL being quarantined by an anti-virus product and then abuses the security program’s Windows process to restore the file.
Because the anti-virus process typically has System permissions, the malicious file is written to a different location (such as the Program Files or Windows folders) than its initial folder, so it could run with higher privileges.
This is possible because of a type of file link called junction, which allows for the writing of the restored file anywhere on the hard drive on NTFS file systems. Now written to a folder from which a privileged Windows process is launched, the malicious DLL is executed first, due to how the operating system works.
“To exploit this vulnerability, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder,” Microsoft explains.
Discovered by Florian Bogner, information security auditor at Austria-based Kapsch, the bug was said to affect products from a large number of anti-virus makers. However, only Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point (ZoneAlarm) and Ikarus were named, as they have already patched the issue.
In a blog post, Microsoft underlines the fact that Windows Defender is not affected by the AVGater flaw, which requires a non-administrator-level account to perform a restore of a quarantined file.
According to Microsoft, the vulnerability represents a relatively old attack vector, but “Windows Defender Antivirus has never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine.”
The tech giant explains that this design feature was meant as a built-in protection and that the security application includes similar safety measures against other known user-account permissions vulnerabilities as well.