A computer security researcher has discovered a rather surprising flaw in Windows Defender. Indeed, inserting a simple comma in a command line is enough to fool Microsoft’s antivirus software.
If you own a Windows PC, you probably know Microsoft Defender. For good reason, Microsoft’s antivirus solution is installed natively on all devices equipped with the American giant’s OS. Overall, the software provides effective protection against most cyber threats that can pose to users.
Despite everything and like any software, Defender can sometimes harbor security vulnerabilities. In May 2022, the Redmond firm notably corrected a significant vulnerability in its antivirus. Present since 2014, this flaw made it possible to bypass security protocols of Defender thanks to faulty registry key. By modifying it, an attacker could change the locations excluded from the antivirus analysis.
This is not the only vulnerability discovered on Defender in 2022. In fact, John Page, a computer security researcher, revealed the same year that it was possible to bypass antivirus detection by inserting periods and commas into command lines intended to execute malware. After the publication of its work, Microsoft urgently published a patch.
Also read : Windows Defender – security flaw goes unnoticed for 12 years
Commas, the ultimate weapon against Windows Defender?
However, Microsoft has visibly shown a certain laxity with this patch. For good reason and as the specialist explains in a tweet published on February 8, 2024, it is still possible to execute a command launching a Javascript program by simply integrating a second comma!
“Typically, Windows Defender detects and prevents execution of TrojanWin32Powessere.G, also known as “POWERLIKS”, which exploits rundll32.exe. Execution attempts fail and attackers will usually receive an “Access is denied” error message, he recalls.
Windows Defender Trojan.Win32/Powessere.G / Mitigation Bypass Part 2
C:sec>rundll32.exe javascript:”….mshtml,RunHTMLApplication “;alert(666)
Access is denied.C:sec>rundll32.exe javascript:”….mshtml,,RunHTMLApplication “;alert(666)
Multi-commas, for the Win! pic.twitter.com/MO8FlmL1Yg
— Hyp3rlinx (@hyp3rlinx) February 8, 2024
He pursues : “In 2022 I revealed how this could be easily worked around by taking an extra path when referencing mshtml, but this has since been fixed. However, I found that using multiple commas “,” bypasses this fix and will run successfully as of this writing.
For now, Microsoft has not yet reacted to the computer security researcher’s latest discovery. However, we imagine that the manufacturer will quickly publish a patch to fill this new flaw.