I wonder why Windows Defender has the privilege to alter the system files. Read them for analysis? Sure! Reset (as in, call some windows API to have it replaced with the original), why not? But being able to write sounds like a bad idea.
However, I don't know what I'm talking about so take it with a grain of salt!
EvanAnderson 45 minutes ago [-]
AV had traditionally run as SYSTEM on Windows (and, in the past, often had kernel mode drivers too). I've always thought it was a terrible idea. It opens up exciting new attack surfaces. Kaspersky and McAfee both had privilege escalation vulnerabilities that I can recall. There have been a ton in multiple products over the years.
labelbabyjunior 40 minutes ago [-]
They kind of have to, though.
If malware exploits a privilege escalation vuln, what's the AV going to do about it when it's reduced to the software equivalent of a UK police officer? Observe and report? Stop or I'll say "stop" again?
AV requires great power, which requires great responsibility. The second part is what often eludes AV developers.
EvanAnderson 33 minutes ago [-]
The OS should do the SYSTEM-level lifting and scanning processes and behavior analysis should run sandboxed as low priv processes. It would require a clearly defined API and I feel like MSFT was always reticent to commit, leaving AV manufacturers to create hacky nightmares.
labelbabyjunior 29 minutes ago [-]
Well the OS should do nothing—remember MS was taken to court over that—but better privsep on the part of the AV, sure.
Technically, Defender can be replaced with 3rd party AV.
labelbabyjunior 44 minutes ago [-]
Some files under Windows are protected as the TrustedInstaller user, which is a more restrictive level of permissions than SYSTEM.
1 hours ago [-]
labelbabyjunior 52 minutes ago [-]
A local privilege escalation to root via an exploitable service?
Doesn't Linux have one of these CVEs...each week?
hsbauauvhabzb 12 minutes ago [-]
Probably, but is that service deployed as part of the base operating system or a third party package? Can you remove the service if you deem the crazy service behaviour is unnecessary or too risky for your usecase?
ranger_danger 2 hours ago [-]
> normally I would just drop the PoC code and let people figure it out
Looks like that's exactly what they did though?
Or maybe they just meant that they don't usually explain how it works?
kijin 1 hours ago [-]
Tney gave it a sexy name and set up a website about it (a github repo, at any rate), instead of just talking about it in a mailing list and getting a CVE like a proper bearded security researcher.
Rendered at 07:21:55 GMT+0000 (Coordinated Universal Time) with Vercel.
However, I don't know what I'm talking about so take it with a grain of salt!
If malware exploits a privilege escalation vuln, what's the AV going to do about it when it's reduced to the software equivalent of a UK police officer? Observe and report? Stop or I'll say "stop" again?
AV requires great power, which requires great responsibility. The second part is what often eludes AV developers.
Technically, Defender can be replaced with 3rd party AV.
Doesn't Linux have one of these CVEs...each week?
Looks like that's exactly what they did though?
Or maybe they just meant that they don't usually explain how it works?