HomeWinBuzzer NewsMicrosoft and Kaspersky Struggle to Fully Patch Windows Defender File Deletion Vulnerabilities

Microsoft and Kaspersky Struggle to Fully Patch Windows Defender File Deletion Vulnerabilities

Security flaws in Microsoft Defender and Kaspersky EDR allowed attackers to remotely delete files by manipulating how the systems identify malware.


Researchers from the US-Israeli firm SafeBreach have unveiled vulnerabilities in Microsoft Defender and Kaspersky's Endpoint Detection and Response (EDR) systems that could potentially allow attackers to remotely delete files on a victim's computer. The vulnerabilities exploit the security products' reliance on byte signatures to identify malware, enabling false positives that lead to the deletion of legitimate files. SafeBreach's VP of Security Research, Tomer Bar, and security researcher Shmuel Cohen presented their findings at the Black Hat Asia conference in Singapore, detailing how they were able to manipulate these security tools into misidentifying non-malicious files as threats.

Exploitation Methodology

The researchers achieved this by inserting malware signatures into legitimate files, such as databases or virtual machines, causing the EDR systems to flag and subsequently delete these files. This method of attack could be initiated through relatively simple means, such as registering a new user on a website with a name that includes a malware signature, or inserting a signature in a comment on a video. The deletion of these files could disrupt services reliant on them, posing a significant risk to affected systems. Despite reporting these findings to the respective companies, the researchers noted that the vulnerabilities could remain exploitable due to the inherent design of the security products.

Response and Mitigation

responded to SafeBreach's findings by issuing patches (CVE-2023-24860 and later CVE-2023-3601) aimed at mitigating the vulnerability. However, SafeBreach was able to bypass the initial patch, prompting further action from Microsoft. The company has since implemented additional measures, including a whitelist and the option for users to configure Defender to quarantine rather than delete flagged files. , on the other hand, did not initially release a fix, stating that the issue was a result of the product's design. They later indicated plans for improvements to address the issue. Despite these efforts, the researchers suggest that completely resolving the vulnerability would require a significant redesign of the products involved.

SafeBreach's findings highlight the complexity of securing modern computer systems against innovative attack vectors. The researchers emphasize the importance of not relying solely on patches as a defense mechanism and advocate for a multi-layered approach to security, acknowledging that vulnerabilities in security controls can lead to unexpected and potentially bypassable behaviors. The ongoing dialogue between cybersecurity researchers and software vendors plays a crucial role in identifying and mitigating such vulnerabilities, underscoring the

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News