It looks like the Microsoft Defender antivirus has a flaw that allows hackers to plant malware on Windows PCs.
The flaw apparently allows hackers to locate areas that are excluded from the Microsoft Defender’s scanning and plant the malware there.
As per some users, the said issue has persisted for about eight years or more and apparently hits affects Windows 10 21H1 and 21H2 versions.
So, how does it work? Like a lot of antivirus programs, the Microsoft Defender allows its users to add local or network locations that would be excluded during malware scanning. Users usually do this to prevent antivirus software from accidentally deleting useful apps.
- Beware of malware-ridden flash drives disguised as gifts
- Hackers are using cheap, free Windows activators to steal crypto wallets
The problem is, researchers found that the list of excluded locations by the Microsoft Defender is apparently unsecured, and local users can easily gain access to it.
SentinelOne threat researcher Antonio Cocomazzi, who discovered the Remote PotatoO vulnerability, said that such list should be considered sensitive and must be protected. The said list can be easily discovered when running a “reg query” command.
Nathan McNulty, another security expert, did say that while it affects Windows 10 21H1 and 21H2 versions, it’s not existent to the latest Windows 11 update.
While attackers do need to get local access on machines to get the list, doing so is not a big issue. It’s said those threat actors who are already on compromised corporate networks can look for a way to move without being noticed, allowing them to find the list and execute the malware.
Via: Bleeping Computer