After Years of Being Exploited, Microsoft Finally Runs Windows Defender in Sandboxed Mode
On June 7, 2017, Google Project Zero security researcher Tavis Ormandy tweeted that he discovered and responsibly disclosed yet another a critical vulnerability in Microsoft’s Anti-Malware/Malware Protection Engine (MsMpEng). After writing a custom fuzzer and DLL importer in Linux, he was able to successfully perform a remote code execution attack against the software giant’s malware protection mechanism. Tavis previously discovered and responsibly disclosed memory type confusion, denial of service, and privilege escalation attacks against the process.
This case illustrates how installing and running anti-virus/anti-malware software can make a system more vulnerable if not implemented properly, since running it necessarily increases the attack surface. Unlike a vulnerability in Adobe Acrobat that requires the end user to open a maliciously crafted PDF file, anti-virus software has a high level of privilege and must read and analyze every single file, e-mail, and stream of data in memory that lands on the system, making it especially vulnerable to exploit due to no required user interaction. An attacker sending a malformed file, e-mail, instant message, or drive-by download could exploit a vulnerability in the malware protection engine and gain full remote access to the system.
Remember that kid in school that always got picked on that would eventually go on to be massively successful and really good looking? Microsoft’s ugly duckling Windows Defender has done just that. In a Microsoft Secure blog posted on October 26, Tavis and the rest of the security world finally got their wish and now Windows Defender (malware protection engine) can now run in sandboxed mode (restrictive process execution environment). Thanks to feedback from internal and external security researchers such as Tavis Ormandy, Microsoft can now boast that their malware protection is the first and only AV Solution of its kind with this capability. Currently available to Windows Insiders who have access to pre-release code, users today can set a flag on their Windows 10 machine to have Windows Defender run in sandboxed mode.
Running the anti-virus process in sandboxed mode significantly increases the cost and effort required for attackers to exploit. Sandbox escape vulnerabilities are among the most difficult to uncover and command the highest prices and bounties. Even if an attacker were able to exploit the malware protection engine, they would only have very limited and locked down access to only the sandbox and not the full system. The process to implement the sandbox process is complicated, which explains why it took this long to get here. When running in sandbox mode, there are performance and resource considerations to take into account. Microsoft is uniquely positioned to solve these problems since they have a deep understanding of how the operating system works and access to source code and developers. Microsoft is keeping the heavy-lifting components of their malware protection engine un-sandboxed and only having the analysis (the process that requires analyzing every file, e-mail, IM, etc.) done in the sandbox with very limited privilege.
For the very same reason that Microsoft is the only company to have developed this technology and that they are in the best position to develop and implement the sandbox process, these factors open them to antitrust lawsuits. Like the famous “It’s like asking Coke to bundle 3 cans of Pepsi in every 6-pack” quote, Microsoft may be forced to (or willingly) provide competitors with the necessary access (to Intellectual Property or API) so other vendors can replicate the sandbox and make computing just that much more secure.
While a sandboxed AV Solution is a great step in the right direction, security best practices dictate defense in depth and blocking a threat as early in the kill chain as possible. The vast majority of remote code execution and remote access trojans (RATs) come from the internet. Using a secure web proxy armed with Microsoft’s Active Protection Program (MAPP) intelligence can block a potential threat even before it lands on a user’s system. Windows Defender is free and available on the latest supported Microsoft operating systems, so now there is no significant reason to not to enable it for defense in depth. However, running Windows Defender without a secure web proxy is like driving around with a disarmed bomb in your car. Sure it’s “safe” for now, but it just takes one minor hiccup to go BOOM. It would be much safer to not allow the bomb to get there in the first place.