Google's Project Zero researcher Travis Ormandy seems to have a way with Windows exploits. Just three days after he revealed what he called a 'crazy bad vulnerability' in Windows earlier this month, he was back at it again with another critical exploit in Microsoft's Windows Defender.
Just like the last zero-day, this exploit had to do with the Malware Protection Engine used by Microsoft; Ormandy explained the technical details of the exploit as follows:
MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed. Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.
What this allows in practice is both an invasion of your privacy - an attacker could query your local files via Defender's scan results - and, at worst, possible remote execution of nefarious code on your system.
Unlike the previous exploit, however, Ormandy did not publicly disclose the vulnerability via Twitter, instead choosing to contact Microsoft directly, which last week pushed out an update that fixed the issue.
Udi Yavo, another researcher, classified the discovery as being "potentially an extremely bad vulnerability, but probably not as easy to exploit as Microsoft’s earlier zero day, patched just two weeks ago." Both Yavo and Ormandy also took issue with Microsoft's implementation of the Malware Protection Engine, criticizing Microsoft's decision to not run it in a sandbox, and the inclusion of extra instructions that allow the engine to make API calls.