Viss

h/t @nyanbinary

so let me get this straight
microsoft defender, the built-in antivirus tool for windows

has a heap based buffer overflow that leads to remote code execution

if you get it to scan a file, and that file is crafted the right way.

the antivirus tool is the carrier for the execution of malware.

May 20 at 10:08pmWeb
Show threadjlin3d ago
@Viss @nyanbinary antivirus needs an antivirus
Show threadViss3d ago
@jlin @nyanbinary i think france, denmark and germany have the right idea - just ditch windows entirely
Show threadderptron3d ago
@Viss @jlin @nyanbinary Ditches have a purpose. They are not for refuse. Put that shit in the trash.
Show threadMcCrankyface3d ago

@Viss @nyanbinary

Microsoft is an APT.
It is known

Show thread_GreyWolf3d ago
@Viss
Though that kinda is always the risk
Antivirus just had the biggest attack surface
@nyanbinary
Show threadnyanbinary3d ago
@_GreyWolf @Viss yip, that is correct & you arent going to see me jump the bandwagon of "AV is bad". imo the conclusion then needs to be beyond-rigorous QC. Unfortunately that is something MS has very much lost my trust there, even for components like Defender.
Show threadViss3d ago

@nyanbinary @_GreyWolf the chief component here is that its microsofts av and microsofts os.

they have the sourcecode. they have limitless resources. they print money.

but even with all that, they wrote av for their own os.

other vendors dont have anywhere near the same resources, or access to all the sourcecode. its way harder for other vendors

Show thread_GreyWolf2d ago
@Viss
And in the end defender often is still a target even if you are running another AV so I usually suggest sticking to defender instead of getting anything else^^
@nyanbinary
Show threadViss2d ago
@_GreyWolf @nyanbinary defender is better than nothing, but other vendors apparently have a better grasp of windows internals than windows devs do
Show thread_GreyWolf1d ago
@Viss
iirc they all had similar problems at some point in time
@nyanbinary
Show threadViss1d ago
@_GreyWolf @nyanbinary oh this is probably the.. i dunno... maybe tenth time if seen? its stupid every time though. that part never tarnishes
Show threadAndrew Golding3d ago
@Viss @nyanbinary
Show threadSunflower Björnskalle 🌻3d ago
@Viss @nyanbinary This is why we always advocated for MAC rather than addling layers of bullshit. Ya'll are just increasing the attack surface area all the time. You need to REDUCE it with a tiny thoroughly audited reference monitor.
Show threadSunflower Björnskalle 🌻3d ago
@Viss @nyanbinary Can't make money doing that though... and that's all anyone cares about.
Show threads00ner🌈3d ago
@Viss @nyanbinary straight out of Jennifer Government. (A good read if you haven't read it)
Show thread0xDECAFBAD3d ago
@Viss @nyanbinary this isn’t even the first time this has happened with Defender
Show threadARGVMI~1.PIF3d ago

@Viss @nyanbinary

Ah good. Now I don't have to deal with code signing my app any more. 😂

Show threadNo Way3d ago
@argv_minus_one @Viss @nyanbinary I wonder if I can use this to configure winrm so I can remote in and fix the random shit Microsoft keeps breaking.
Show threadAlesandro Ortiz 🇵🇷🏳️‍🌈3d ago
@Viss @nyanbinary Reminds me of Taviso's P0 research from a few years ago targeting AV scanning sandboxes/VMs.
Show threadViss3d ago
@AlesandroOrtiz @nyanbinary oh yeah, 100%
Show threadCat 🐈🥗 (D.Burch) 3d ago
@Viss @nyanbinary Sufficiently advanced Windows services are indistinguishable from malware
Show threadnyanbinary3d ago
@catsalad @Viss considering the first 5 hits whenever you search any windows executable are "is this malware?  "... Yip!
Show threadViss3d ago
@catsalad @nyanbinary my favorite is when defender decides another piece of windows is bad and attacks it
Show threadCat 🐈🥗 (D.Burch) 3d ago
@Viss @nyanbinary I mean, it's not wrong... 😹
Show threadgnate3d ago
@catsalad
Ah, autoimmune issues...
@Viss @nyanbinary
Show threadViss3d ago
@catsalad @nyanbinary true
Show threadJernej Simončič �3d ago
@Viss @catsalad @nyanbinary Remember broadcasting an Invoke-MimiKatz SSID?
Show threadmobidic3d ago
@Viss @nyanbinary
Since I turned off Defender – I've gotten back 1GB of RAM and 15% blocked CPU power – and replaced it with my brain. That's all.
Show threadViss3d ago
@mobidic @nyanbinary i wish avg didnt go shitty. it was pretry good for a while
Show threadSass, David3d ago
@Viss @nyanbinary this remind me of the old days when I tricked a Next Gent AV into code execution in very simple way in the same day the vendor was on site for a purple team exercise.
Show threadViss3d ago
@sassdawe @nyanbinary i got arcticfox to run meterpreter for me once
Show threadJérôme Petazzoni3d ago
@Viss @nyanbinary do you know why they say that it's complex to exploit? Is it just them trying to minimize the vuln, or is there really a convoluted extra step beyond getting ms defender to scan a file? (I'm not familiar at all with ms defender)
Show threadViss3d ago
@jpetazzo @nyanbinary zero clue. we wont know til we see a poc or someone does a patchdiff to see how they patched it
Show threadSharkfie 3d ago

@Viss this has happened a few times before, Microslop was going to sandbox the scanner service but I don't know if it made it to production as a default.

https://learn.microsoft.com/en-us/defender-endpoint/sandbox-mdav

Run Microsoft Defender Antivirus in a sandbox environment - Microsoft Defender for Endpoint

This article describes how to run Microsoft Defender Antivirus in a sandbox to further strengthen against tampering.

Show threadViss3d ago
@sharkfie yeah, ive watched most of them, but it's extra crispy because its their own os. every time!
Show threadjkdelauney3d ago
@Viss @nyanbinary This is the most MicroSlop thing I’ve seen in a while, or three days. It’s hard to tell anymore.