A GitHub project that disables Windows Defender and firewall is generating buzz among cybersecurity researchers. Will Dormann, a senior vulnerability analyst at CERT, posted about the GitHub project on a Mastodon cybersecurity instance. “Somebody figured out the secret technique that 3rd-party AV uses to disable Microsoft Defender so that they themselves can run without interference,” Dormann wrote. “This tool uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender.” Dormann included a screen recording of the tool in action, and it appears to work effectively (screenshot below). [caption id="attachment_72709" align="alignnone" width="1057"] 'No Defender' Windows Defender bypass[/caption] The GitHub project, simply called “No Defender,” is billed as “A fun way to disable windows defender + firewall.” In a note on the project, repository owner “es3n1n” said they essentially reverse-engineered the API that antivirus vendors use to disable Windows Defender. “There's a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there's some other antivirus in the hood and it should disable Windows Defender,” the note states. “This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation, so I decided to take an interesting approach for such a thing and used an already existing antivirus called Avast. This AV engine includes a so-called wsc_proxy.exe service, which essentially sets up the WSC API for Avast. With a little bit of reverse engineering, I turned this service into a service that could add my own stuff there.” One limitation noted by es3n1n is that “to keep this WSC stuff even after reboot, no-defender adds itself (not really itself but rather Avast's module) to the autorun. Thus, you would need to keep the no-defender binaries on your disk.”

Windows Defender Bypass Requires Admin Privileges

EDR (endpoint detection and response) and antivirus software bypasses aren’t uncommon, as hackers and researchers alike have found ways to disable security defenses. Security researchers and testers often turn off security defenses in the course of research and testing, so such tools have legitimate uses too. As one commenter noted on the ycombinator Hacker News feed, "Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later...For the vast majority of people this is a good thing!" Dormann noted that elevated admin privileges are all that’s required to run the No Defender tool, so Windows users have yet another reason not to run Windows as an admin. “If you don't log in to Windows as an admin, as we security-conscious people do, then you won't have as much to worry about,” Dormann wrote. One Mastodon commenter saw the GitHub tool as an Avast flaw rather than Microsoft’s, noting that “it requires an executable signed with AuthentiCode SigningLevel 7 ("Signed by an Antimalware vendor whose product is using AMPPL"). “I see this more as a vulnerability of the Avast wsc_proxy.exe component misused here that allows untrusted/unsigned code to interact with it,” said the commenter, who goes by the handle “faebudo.” The Cyber Express reached out to Microsoft and Avast for comment and will update this article with any response. But Dormann told The Cyber Express the issue is "more of a novelty than a vulnerability per se. Admin-privileged users can do admin things. Which includes reconfiguring the system they're on. Including kernel-level access."

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.

“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”

Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.

Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.

Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.

Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.

“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”

CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.

“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”

Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.

Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.

“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”

For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.

Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.

KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.

“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.