Windows Defender could be tricked into deleting databases

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Microsoft and Kaspersky’s security products can be tricked into deleting legitimate files, possibly bricking entire applications, experts have warned.

Cybersecurity researchers from SafeBreach discussed their findings during the Black Hat Asia conference in Singapore, The Register reports.

However, not everyone agrees with the researchers, and while Microsoft did acknowledge their findings to some extent, it ultimately decided not to pursue them any further. 

To patch or to rebuild

The researchers - Timer Bar and Shmuel Cohen - explained that the problem stems from the fact that both Microsoft and Kaspersky use byte signatures to detect malware. Byte signatures, The Register explains, are unique sequences of bytes in file headers, and should a hacker add them to a legitimate file, the security solutions will flag them as malicious.

In theory, hackers would be able to delete people’s files remotely. For example, they could register as a new user on a website and add the byte signature to their name. The signature would make it into the database, tricking the security program to delete the entire thing. In another example, an attacker could add the signature to a comment of a video.

All of this seems to be theoretical, because the potential consequence is so great that the researchers couldn’t bring themselves to try it out:

"We thought: 'All Azure clouds are run with Microsoft products and Defender exists on Azure. We really thought that we can attack Azure cloud with this attack, but we were really scared to try it because we don't know the implication. We could really destroy a production database all over the world, and this could be irreversible. So we were really scared to try to do it ourselves,” The Register cited the researchers. 

Initially, Microsoft acknowledged the findings. The vulnerability was registered under CVE-2023-24860, and patched in April 2023. Kaspersky, on the other hand, didn’t release a patch because "the product's behavior is more driven by design." It was "planning some improvements to mitigate this issue," though.

The researchers didn’t fully stop there. Both Kaspersky and Microsoft’s solutions worked at face level, but they wanted to dig deeper. They deemed Kaspersky not popular enough to warrant further investigation, so they focused on Microsoft. 

They managed to work around the initial patch, triggering the creation of CVE-2023-3601 in December 2023. They tried again, apparently succeeding to bypass the fix, but this time - Microsoft wasn’t phased, claiming that the bypass only works on already compromised endpoints. 

A "bypass of a defense-in-depth security feature by itself does not pose a direct risk as an attacker must also have found a vulnerability that affects a security boundary or they must rely on additional techniques such as social engineering to achieve the initial stage of a device compromise."

The researchers concluded that, in order to fully address this problem, Defender should be redesigned from the ground up. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS