Decade Old Exploit in Windows Defender finally patched



For the last 12 years, Microsoft Windows has transitioned security management off third-party apps and decided to take control themselves and developed Windows Defender and built it in the Windows 8 Engine.


Since then, Windows Defender has been drastically improved upon and operated on all corners of the Earth with a happy acceptance from consumers and techies alike on more than a billion devices.


Windows Defender provided a lightweight yet sophisticated security engine and front end to support your day-to-day security needs when browsing the internet, downloading files, receiving emails, general day to day use.


However, deep within the Windows Defender core lurked a vulnerability that was so easy to exploit, yet so difficult to find and afforded the attacker full administrator privileges at the flick of a button or in this case, a deletion and replacement of one single file.




BTR.sys is one of the internal drivers for the Windows Defender component, the same way in which your PC will recognize external hardware such as printers, hard drives, and keyboards, Windows uses the BTR.sys driver to communicate with the windows Defender engine. BTR.sys is responsible for deleting file and systems registry resources which were created by or for malicious means on behalf of Windows Defender.


When a file is deleted, BTR.sys makes no verification attempt and subsequently moves on to the next file, meaning that the deleted file could be replaced just as easily with the attackers on self-expanding file containing exploits to take control of your PC with full administrator privileges.


The attacker would have the ability to, create admin users, enable / edit remote access, block / allow content and software / sites and location browsing, enable / disable firewalls, antivirus, and even Windows Defender itself, as well as anything else that you think you can do on your PC with full administrator privileges.


The Good News


Microsoft has finally released a patch on the 9th of Feb 2021 and myself and my team began promptly updating and rolling out the patch with a priority list of server systems starting at our DNS servers and data servers thus ensuring that our client data is well protected.


My technicians have been working overtime to patch all our internal servers and we are happy to report that all our internal Windows-based servers and computers have been patched. We would also like to report that majority of our client servers have already been patched and we are working on the last few between today and tomorrow. We would have had it all done last week, but you know, this darned load shedding ensured that our schedule was thrown out the door as we had to work around client-side load shedding.


It’s not over


As hard as we work on our end to patch all the vulnerabilities, we still have some end point remote accessibility issues due to the nature of Windows Defender and specifically Windows Update and WSUS.


In this case, we would like to kindly request that you ensure at your earliest convenience that your operating system is up to date and you Windows Defender is turned on.


If you would like to find out how to ensure your updates are done, please watch this video on our RandTech IT learning centre.


If you require any assistance at all, please get in touch with us, we are ready to help you!


Thank you for reading, have a fantastic day further and until next time!

Feel free to share this information onwards:

Share on facebook
Share on google
Share on twitter
Share on linkedin

Leave a comment

Your email address will not be published. Required fields are marked *