A critical bug, Facepalm, in Windows Defender has gone 12 years undetected by both attackers and defenders, before finally being patched last fall. The vulnerability in Microsoft’s built-in antivirus software could have allowed hackers to overwrite files or execute malicious code—if the bug had been found.
Let’s be clear—12 years is a long time when it comes to the lifecycle of a mainstream operating system, and it’s a heck of a long time for such a critical vulnerability to hide. Part of the reason for this could be because the bug in question doesn’t actively exist on a computer’s storage—instead, it exists in a Windows system called a “dynamic-link library.” Windows Defender only loads this driver when needed, before wiping it off a computer’s disk.
Wired explains, “When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.”
Researchers at security firm SentinelOne discovered and reported the flaw last fall, which was subsequently patched.
Microsoft initially rated the vulnerability as “high,” although it’s worth noting that for an attacker to take advantage of the bug, they’d need access—either physical or remote—to your computer. In all likelihood, this means that additional exploits would probably need to be deployed.
Both Microsoft and SentinelOne also agree that there’s no evidence that the now-patched bug was exploited maliciously. And SentinelOne is keeping the specifics of the vulnerability under their hat in order to prevent hackers from taking advantage of the bug while the patch rolls-out.
A Microsoft spokesperson said that anyone who installed the Feb. 9 patch, either manually or via auto-updates, is protected.