Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack

A severe vulnerability in Windows Defender’s update process allows attackers with administrator privileges to disable the security service and manipulate its core files.

The core of the exploit lies in the way the WinDefend service handles version updates. Windows Defender stores its executable files in a version-numbered folder. This oversight allows an attacker to manipulate the update process. By creating a symbolic link here with a version number higher than the current one, an attacker can redirect the Defender service to an entirely different, attacker-controlled folder.

The attack is carried out in a few steps: First, the attacker copies the legitimate Windows Defender files to a new, unsecured location. Next, using the command, they create a symbolic link inside the protected folder. This symlink is given a name that appears to be a newer version of Defender and points to the unsecured folder created in the first step. Upon the next system restart, the WinDefend service identifies the symlink as the latest version and launches its processes from the attacker-controlled directory. Once control is established, the attacker has complete read/write access to the files Defender is running from. This enables several malicious outcomes. For instance, an attacker could plant a malicious DLL in the folder to perform a DLL side-loading attack, executing malicious code within the trusted Defender process. More simply, they could destroy the executable files, preventing the service from functioning.

To read the complete article see: this link.