Defender-Pretender: When Windows Defender Updates Become a Security Risk

Security

Learn about the "Defender-Pretender" vulnerability, where Windows Defender updates can become a security risk due to design flaws and exploitable validation mechanisms, and how a custom update package can be created to bypass security controls.

Key takeaways
  • The Windows Defender update process has design flaws that can be exploited to bypass its security mechanisms.
  • The update process relies on validation mechanisms to ensure the integrity of the update package, but these mechanisms can be bypassed by modifying the update package’s signature.
  • The Defender Pretender tool was created to test the vulnerability and demonstrate how to exploit it.
  • The tool allows for the creation of a fake update package that can be used to update Defender with a custom database, even without admin privileges or a valid certificate.
  • The update package can be modified to include a custom database that contains signature definitions for known malware, allowing an attacker to mark previously unknown malware as benign.
  • Microsoft’s friendly file implementation can be bypassed, enabling the creation of a custom update package that can be used to evade Defender’s security controls.
  • The vulnerability can be exploited to gain persistence on a target system.
  • Microsoft has assigned a CV ID and released a patch to fix the vulnerability.

More talks

Route to Bugs: Analyzing the Security of BGP Message Parsing

Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal

You Don't Need Containers to Run Django in Production with Eduardo Felipe Castegnaro - DCUS 2022

37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide

Cybersecurity for Crypto Startups and Companies

Keynote: How I Met Your Data - Troy Hunt - NDC Security 2024

PHP UK 2023 - King Vault

Security Champions? Introduce them in your Organisation | Ives Laaf