Defender-Pretender: When Windows Defender Updates Become a Security Risk

Security

Learn about the "Defender-Pretender" vulnerability, where Windows Defender updates can become a security risk due to design flaws and exploitable validation mechanisms, and how a custom update package can be created to bypass security controls.

Key takeaways
  • The Windows Defender update process has design flaws that can be exploited to bypass its security mechanisms.
  • The update process relies on validation mechanisms to ensure the integrity of the update package, but these mechanisms can be bypassed by modifying the update package’s signature.
  • The Defender Pretender tool was created to test the vulnerability and demonstrate how to exploit it.
  • The tool allows for the creation of a fake update package that can be used to update Defender with a custom database, even without admin privileges or a valid certificate.
  • The update package can be modified to include a custom database that contains signature definitions for known malware, allowing an attacker to mark previously unknown malware as benign.
  • Microsoft’s friendly file implementation can be bypassed, enabling the creation of a custom update package that can be used to evade Defender’s security controls.
  • The vulnerability can be exploited to gain persistence on a target system.
  • Microsoft has assigned a CV ID and released a patch to fix the vulnerability.

More talks

DevOps Patterns and Antipatterns for Continuous Software Updates | Baruch Sadogursky

Configuration and Authentication: Michael Paquier - PGCon 2023

The Evolution of Sustainable DeFi - Brad Harrison, Venus Labs

API World Conference: The API Economy and the Need for an API Management Hub

37C3 - Unlocking the Road Ahead: Automotive Digital Forensics

Taking the risk out of software experimentation

Software security as a force of nature

Smashing the State Machine: The True Potential of Web Race Conditions