In spite of a flurry of patches designed to fix Windows Defender, at least one security researcher reckons there's still work to be done.
James Lee, who has presented at conferences like Zer0con, has contacted experts to say the key vulnerable component, MsMpEng, is still subject to remote code execution.
As with the bugs disclosed by Tavis Ormandy and fellow Project Zero researcher Mateusz Jurczyk, the bugs Lee's outlined to us arise because of insufficient sandboxing. While he hasn't provided full details to us, he's posted two remote code execution proof-of-concept videos at YouTube:
In spite of the system being fully patched (as shown in the first video), Lee's work shows Windows Defender crashing and unable to restart.
Lee told his discoveries aren't related to what Microsoft's fixed in response to Project Zero's recent disclosures. Those, he wrote in an e-mail, covered “multiple denial-of-service, integer overflow, and use-after-free bugs”, while his work has drilled into type confusions and logical bugs.
Lee's demonstration that MsMpEng needs to be sandboxed is in line with yet another Tweet from Ormandy (the world is waiting for what follows):
Ever since early May, MsMpEng's lack of sandboxing has been under increasing criticism from researchers. Yesterday, yet another sandbox escape was posted to GitHub by Thomas Vanhoutte. That contribution (not yet complete, Vanhoutte writes) aims to give a guest-privilege attacker the ability to use Defender to delete arbitrary files, including DLLs (which would offer various hijack opportunities).