Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack
Cybersecurity
A significant vulnerability in the update process of Windows Defender has been identified, allowing attackers with administrative privileges to disable the security service and alter its core files.
This vulnerability exploits a flaw in the selection of the execution folder by Defender, which can be exploited using tools available on the Windows operating system.
Exploiting the Update Mechanism
The vulnerability centers on the handling of version updates by the WinDefend service. Windows Defender stores its executable files in a version-numbered folder within ProgramData\Microsoft\Windows Defender\Platform\.
Upon startup or update initiation, the service scans the Platform directory and selects the folder with the highest version number as its operational path.
While Microsoft secures these folders against modifications, it has been discovered that an administrator can create new folders within the Platform directory.
This discovery allows an attacker to manipulate the update process. By creating a symbolic link (symlink) with a version number higher than the current one, the Defender service can be redirected to an attacker-controlled folder.
The attack can be executed through the following steps:
- The attacker copies legitimate Windows Defender executable files to an unsecured location (e.g.,
C:\TMP\AV). - A symbolic link is created inside the protected
Platformfolder using themklinkcommand. This symlink is named to appear as a newer version and points to the unsecured folder. - Upon system restart, the WinDefend service identifies the symlink as the latest version and launches processes from the attacker-controlled directory.
Once control is established, the attacker gains read/write access to the files Defender operates from, enabling various malicious activities.
An attacker could, for instance, use DLL side-loading to execute malicious code within the trusted Defender process or simply delete the executable files to disable the service.
By removing the symbolic link after hijacking, the Defender service cannot locate its executable path during subsequent runs, effectively disabling real-time virus and threat protection and leaving the system vulnerable.
