12-Year-Old vulnerability in Windows Defender risked 1 billion devices

12-Year-Old vulnerability in Windows Defender risked 1 billion devices

A critical security vulnerability was identified in Windows Defender, an anti-malware component of Microsoft Windows that comes pre-installed with every copy of Windows. This number is over 1 billion devices.


This vulnerability could let attackers carry out sophisticated attacks by enabling malicious escalation of privileges


SEE: 17-year-old “wormable” SigRed vulnerability in Windows servers


What’s worth noting is that the vulnerability went unnoticed for over twelve years and only recently discovered for the very first time. The reason it went unnoticed for so long was the very specific nature of the mechanism required to activate it.


Technical Details


Windows Defender has a redemption process used by its driver called “BTR.sys”. This driver takes care of any malicious system and registry files created from kernel mode. For this purpose, the driver maintains a log of all the operations done by a specific file by creating a handle on it. The issue is within the method of the handle creation.





Image Sourced from SentinelLabs



According to a blog post published by researchers at Sentinel Labs, in order to clean the “ri4d” register, it was XORed with itself. By this method, the constant “FILE_SUPERSEDE” is always present in the parameter “CreateDisposition”. The transaction that creates the file after deleting the original one is “FILE_SUPERSEDE”. It can be seen in the image that it does not confirm whether it is a file or a link.

In this way, an attacker can create a link ..