In Windows Defender, and again found the vulnerability is closed
By Prempal Singh
A researcher from the Google Project Zero Tavis Ormandy continues to detect vulnerabilities in the Windows operating systems. Three days later, after finding “glaring vulnerability” he found a problem in the Windows Defender.
Like last time, the exploit is related to Malware Protection Engine. Explanation is that MsMpEng includes an x86 emulator to run suspicious files that are similar to the PE executable files. Runs the emulator is not in the sandbox; including programming interfaces it supports ntdll! NtControlChannel, through which the emulated code can gain control of the emulator itself.
This means that hackers can gain access to the files of users through Windows Defender scan results and at worst remotely execute code. This time Ormandy did not announce his discovery on Twitter, but first notified Microsoft, which last week released a patch.
Another researcher called this vulnerability is potentially extremely dangerous, but difficult to apply. Experts have criticized Microsoft for the decision not to use the sandbox with the Malware Protection Engine and allow the presence of API calls to perform the instructions in the emulator.