Windows Defender Vulnerability Lets Hackers Hijack and Disable Services Using Symbolic Links
Cybersecurity
A new technique has been identified that exploits a vulnerability in the update and execution mechanism of Windows Defender.
Technical Overview
Exploit Mechanism
Windows Defender uses versioned folders located in ProgramData\Microsoft\Windows Defender\Platform to store its executables. During updates, new folders are created, and the service is pointed to the updated path. This process is designed to ensure smooth transitions between versions while safeguarding critical files.
However, researchers have identified that it is possible to introduce symlinks within the protected Platform directory. By creating a symlink folder with a higher version number, attackers can manipulate Defender into executing from a directory that they control. For example, redirecting the path from C:\ProgramData\Microsoft\Windows Defender\Platform\5.18.25070.5-0 to C:\TMP\AV allows full control over the antivirus binaries.
Potential Impacts
- Attackers can inject malicious DLLs into Defender processes.
- Critical executables can be overwritten or deleted.
- The Defender service can be redirected to invalid paths, effectively disabling it.
Removing the symlink after reboot causes Windows Defender to attempt to start from a non-existent folder, resulting in failure to launch and leaving the system unprotected. The attack utilizes built-in Windows commands, such as mklink and rmdir, without requiring additional malware or exploit code.
Security Implications
The vulnerability highlights a fundamental flaw in Defender’s handling of directory structures during updates. By failing to validate symlinks properly, Windows Defender can be compromised at the user level with administrative privileges. This underscores the challenge in endpoint defense, as security software often operates with elevated privileges but may contain exploitable mechanisms.
The ability to disable or evade defenses is crucial for attackers seeking persistence on a target system, emphasizing the ongoing cat-and-mouse game between malware developers and defensive technologies. As the default security tool for many users, Windows Defender remains a high-value target for exploitation.
