Microsoft recently fixed a weakness in its dedicated Windows antivirus solution, Microsoft Defender, that allowed threat actors to deploy malicious payloads on compromised machines without being detected.
The vulnerability, which impacts recent versions of Windows 10, has allegedly been open to exploitation since at least 2014. As it turns out, the flaw stemmed from loose security policies on the
HKLM\Software\Microsoft\Windows Defender\Exclusions registry key, which contains a list of items, such as files, extensions, processes, and folders, excluded from Microsoft Defenders scans.
The registry key above could be accessed by the “Everyone” group, which made it possible for local users to query the Windows registry and access the vulnerable key, even without elevated privileges. Attackers could easily exploit the flaw, given that it could be done without special permissions.
After leveraging the vulnerability and retrieving the list of items excluded from the scan, attackers could deploy and launch malware payloads from an excluded location without fear of detection. Indeed, Bleeping Computer replicated and executed a Conti ransomware sample inside an excluded folder without triggering any Windows Defender alerts.
Microsoft reportedly rolled out a silent update to fix the issue, as confirmed by several security experts. Some users noticed the permission change after applying the February 2022 Patch Tuesday Windows cumulative updates on their systems, while others claim they received it without installing any updates.
This is a strong indicator that Microsoft could apply the patch through both Windows and Microsoft Defender intelligence updates.
After the update, Windows Advanced Security Settings for Exclusions’ permissions have been updated, and the “Everyone” group has been removed from the registry key’s permissions. Consequently, Windows 10 local users now need administrator privileges to access the list of excluded items from the command line.