Microsoft Fixes a Bug in Their Anti-Malware Applications That Lets Someone Turn them Off

Microsoft is joining the ranks of Symantec and McAfee in a very special group. This is a group of companies whose anti-malware products can be/have been attacked directly. According to a security update Microsoft says that a specifically crafted file can stop the service from working until manually removed.

This file is not malicious in nature, but you can just imagine what could happen if someone did try to use this exploit. It would leave anyone using a Microsoft anti-malware application open. The same thing has happened in the past to both McAfee and Symantec and motivated both companies to lock down their processes and create additional watchdog services to keep an eye on things.

The bug was originally reported seven months ago by Travis Ormandy. Ormandy is part of Google’s Project Zero that tries to identify zero-day flaws along with other vulnerabilities. Ormandy felt that the flaw was in the Javascript interpreter which is used by the service. Microsoft is listing the flaw as a denial of service since it interrupts the anti-malware application’s ability to scan the system until removed.

There is little detail on exactly what happens to create the interruption, but it our guess is that when scanning a JS file there are special commands that either create a loop for the scanner (through the interpreter) or that cause the scanner to turn off when the file is scanned. Either way it is a bad thing to have happen, but not that difficult to patch. With some of the more intrusive malware we have seen entire processes replaced or the registry keys removed. When the process is replaced it is with a hacked version of the executable. This makes the system think that everything is running when it is actually not. For key removal the system looks like it is installed, but is not running.

All anti-malware companies really need to step up their game and find better ways to protect end users’ systems. The threats are evolving much faster than they can keep up even and that puts their clients at risk in many ways. Microsoft will push the patch out soon so most users will get it through automatic updates done to their systems. For corporate users, they will want to make sure their servers are up-to-date and that they push out the updated clients to their networks.

Tell us what you think in our Forum

No comments

Leave your comment

In reply to Some User