Windows Defender can be hijacked to ignore malware, falsely recognize benign files as malicious and even delete critical system files to render a machine inoperable, two Israeli researchers demonstrated at the Black Hat security conference here on Aug. 9.
Tomer Bar and Omer Attias of SafeBreach also introduced an automated tool called Defender Pretender that can replicate their attacks, as long as the version of the Microsoft Malware Protection Platform is earlier than 4.18.2303.8. The tool can be found at https://github.com/SafeBreach-Labs/wd-pretender. Microsoft catalogued the attack method as CVE-2023-24934 and patched the vulnerability in April.
"The lesson is 'Trust no one,'" said Bar, "even Microsoft's own processes. Digitally signed files are not always secure, and the signature update process of security programs could be used as an attack vector."
Read the full article on SC Magazine.