Microsoft Modifies Open-Source Code, Blows Hole In Windows Defender

An anonymous reader quotes a report from The Register: A remote-code execution vulnerability in Windows Defender -- a flaw that can be exploited by malicious .rar files to run malware on PCs -- has been traced back to an open-source archiving tool Microsoft adopted for its own use. The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) in Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. This update should be installed, or may have been automatically installed already on your device. The vulnerability can be leveraged by an attacker to achieve remote code execution on a victim's machine simply by getting the mark to download -- via a webpage or email or similar -- a specially crafted .rar file while the anti-malware engine's scanning feature is on. In many cases, this analysis set to happen automatically.

When the malware engine scans the malicious archive, it triggers a memory corruption bug that leads to the execution of evil code smuggled within the file with powerful LocalSystem rights, granting total control over the computer. The screwup was discovered and reported to Microsoft by legendary security researcher Halvar Flake, now working for Google. Flake was able to trace the vulnerability back to an older version of unrar, an open-source archiving utility used to unpack .rar archives. Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

Microsoft is a clueless newbie

[Required Snark]

Mass search and replace with no testing. A complete lack of understanding of simple principles of numeric comparisons. Not knowing the difference between unsigned and signed integers.

Sounds exactly like standard operating procedure at Microsoft.

Microsoft: bringing the Blue Screen of Death to Open Source Software since 2015.

Re:

[Opportunist]

Yeah, whataboutism, I mean, what about it?

"Open source" = geek-click-bait

[davidwr]

Nothing to see here.

Someone at MS modified code without understanding all the implications, and/or they modified code and someone else at MS called the code without being aware of the modification.

"Forking open source code" could just as easily been "bought closed-source project from third party them modified it," "hired contractor to write a library then modified it," or "forked code from another MS project then modified it."

Re:

[Anonymous Coward]

Nothing to see here.

Someone at MS modified code without understanding all the implications, and/or they modified code and someone else at MS called the code without being aware of the modification.

Yep, nothing to see here. People at MS take code and modify it without understanding about integer overflows and signing conversion. It's not like that code goes into anything important used on billions of devices that could be exploited by mere exposure to a certain crafted filetype that mere possession should

Re:

[LoneTech]

Except the open source part meant: 1) They could make the modifications, 2) they could share those modifications, 3) the maintainer (or anyone competent) could have vetted and merged the changes, 4) there was no need to make the changes.

The breakage in this case happened because they made the change carelessly and chose not to participate in the usual quality control. And it caused a major security flaw in the program they force on users specifically for security. I'll grant you the situation would be no be

Re:

[sad_]

except for the fact that MS is using OSS in their products. OK, that is nothing new, but worth repeating.
the other news is ofcourse they are using it wrong and thus introducing errors/bugs into their products.
and lastly, the headline makes it sound as-if it's all the fault of OSS, while the opposite is true.

Same old same old

[Ol Olsoc]

This is a Microsoft product. So it is no surprise. Benn a very insecure week for them. But they are getting better at simply inviting the bad guy in. Black Hats are thankin' ya Mister Nutella.

Re:

[BlueStrat]

Why this condonation in the article?

Probably as a "condom"-ation measure. :P

Strat

Re:

[goose-incarnated]

Why this condonation in the article?

I think you mean condemnation?

GPL Violation?

[hackel]

It seems like the bigger story here is that Microsoft has included code from the GPL-licensed unrar in their Windows Defender product, without releasing the full source code as required by the license agreement. Am I missing anything? The FSF needs to go after them for this!

Re:

[Anonymous Coward]

Unrar is not GPL licensed. Its freeware.

Re:

[david_thornley]

I always thought it was a good thing that Microsoft got BSD networking code. The GPL(s) really aren't suited for infrastructure code.

Different license? Re:GPL Violation?

[davidwr]

Maybe they used a version with a license similar to this one [github.com].

Re:

[Anonymous Coward]

However if they didn't disclose in the Windows Defender documentation somewhere prominent that it is a violation of the license to use said code to reverse engineer the RAR file format, then they may have voided their license rights under the otherwise permissive license and Alexander Roshal may have standing to sue them.

No.

Here, let's remove all doubt about this license issue, shall we?

UnRAR - free utility for RAR archives
License for use and distribution of FREE portable version

The source code of UnRAR utility is freeware. This means:
1. All copyrights to RAR and the utility UnRAR are exclusively
owned by the author - Alexander Roshal.
2. UnRAR source code may be used in any software to handle
RAR archives without limitations free of charge, but cannot be
used to develop RAR (WinRAR) compatible archiver and to
re-create RAR compression algorithm, which is proprietary.
Distribution of modified UnRAR source code in separate form
or as a part of other software is permitted, provided that
full text of this paragraph, starting from "UnRAR source code"
words, is included in license, or in documentation if license
is not available, and in source code comments of resulting package.
3. The UnRAR utility may be freely distributed. It is allowed
to distribute UnRAR inside of other software packages.
4. THE RAR ARCHIVER AND THE UnRAR UTILITY ARE DISTRIBUTED "AS IS".
NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE AT
YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS,
DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING
OR MISUSING THIS SOFTWARE.
5. Installing and using the UnRAR utility signifies acceptance of
these terms and conditions of the license.
6. If you don't agree with terms of the license you must remove
UnRAR files from your storage devices and cease to use the
utility.
Thank you for your interest in RAR and UnRAR.
Alexander L. Roshal

Microsoft is not distributing their modified source code so they are not required to display this license in a separate l

Re:

[BlueStrat]

Microsoft is not distributing their modified source code so they are not required to display this license in a separate license file, or program documentation, or comments in modified source code. They are not distributing source code because they don't have to. Clause 3 allows the utility to be distributed freely within other software without limitations. If Microsoft open sourced their anti-virus program and published its source code with the included unrar source code, then it would have to include the unrar license in some form as described above.

Yes, but never mind all that "free license" and "it is allowed to include within" unintelligible legal mumbo-jumbo!

This is *Slashdot*!

"Give me six lines of code written by the hand of another included in Windows, and I shall find something within them to convict Microsoft!"

Strat :)

Re:

[chmod a+x mojo]

2. UnRAR source code may be used in any software to handle
RAR archives without limitations free of charge, but cannot be
used to develop RAR (WinRAR) compatible archiver and to
re-create RAR compression algorithm, which is proprietary.
Distribution of modified UnRAR source code in separate form
or as a part of other software is permitted, provided that
full text of this paragraph, starting from "UnRAR source code"
words, is included in license, or in documentation if license
is not available, and in source code comments of resulting package.
3. The UnRAR utility may be freely distributed. It is allowed
to distribute UnRAR inside of other software packages.

Shitty wording on the licence part, but the code is distributed in compiled binary form as a part of the sofware. MS. would have to display the license in the "about" section that covers licences. They probably do, I've never looked, but these things are the type of things that the lawyers would make damn sure that the devs knew about.

Re:

[suutar]

It really depends what Alexander Roshal thinks "in separate form" means. So far I'm not aware of him claiming that a compiled binary is a form of source code, but I'm sure enough of a case could be made to take it to court if he wanted to.

Re:

[DamnOregonian]

Am I missing anything?

You are. unrar's source is licensed under either a BSD-like license, or the GPL, your choice.

Re:

[tlhIngan]

You are. unrar's source is licensed under either a BSD-like license, or the GPL, your choice.

Or... neither?

Looking at the official UnRAR source code (from https://www.rarlab.com/rar_add... [rarlab.com] ), the license.txt is really a BSD-ish style license. No GPL at all. Basically you can use it to handle RAR archives, as long as you don't use it to reverse-engineer RAR compression. No warranty, blah blah blah, but you're free to included it in anything to handle RAR archives.

Re:

[DamnOregonian]

FTL:

ALTERNATIVELY, provided that this notice is retained in full, this product may be distributed under the terms of the GNU General Public License (GPL), in which case the provisions of the GPL apply INSTEAD OF those given above.

Like I said, it's a bsd-like license, or GPL. Your call.

Re: H1B company top to bottom

[phantomfive]

There aren't many programmers who enjoy programming anymore. They are tough to find....Ever since the job became so lucrative. Besides, why do you think Americans are better programmers? It's not true.

Re: H1B company top to bottom

[phantomfive]

The puritan work ethic is dead.

Re:

[wed128]

No it's not, it's just resting.

Re:

[Bert64]

mostly our standard for excellence is very low and people's motivation to do a good job reach only to the point where their get their wages, with absolutely no desire to go beyond, learn more, or do better.

This applies to first world countries too...

However, there is generally a higher standard of education available and ability to speak english is a given in the US and other english speaking countries.

Re:

[AHuxley]

AC Z-80 SoftCard https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Bert64]

Then you just hide some malware inside a compressed archive and it goes through, although setting a password on the archive works too as the scanner doesn't know the password and can't look at the contents.

The fundamental flaw with AV software, especially on endpoints, is that you have extremely complex code parsing potentially hostile data while running at a high privilege level. Anyone with a basic understanding of security knows what a huge risk this is.

Re:

[ls671]

Well, it seems to me that it wouldn't be to hard to put the scanning process into a sandbox or do "su - nobody -c scanprocess file" then, return the results of the scan to the highly privileged main AV process.

I have applied this pattern many times...

Re:

[Opportunist]

And it's equally easy to defeat this by simply behaving differently if not allowed privileged access to resources. Can't access device drivers? Oh, then I'm just a notepad program that waits for your input, dear master.

Can I? Then I'm your worst nightmare.

Re:

[Bert64]

We do exactly that for gateway devices (mail/web filters) and it works out ok, and severely reduces the amount of crap which reaches end user's systems.
For a desktop this would incur an overhead and make the AV product slower and more bloated than it already is, and there would still need to be part of it running with a high privilege in order to intercept data.

Re:

[Opportunist]

If cryptolocker etc. proved one thing, then that privilege levels mean jack shit when it comes to destructiveness. What are the files that really matter to you? The ones that you have in your directory, your documents, your mail, your spreadsheets, your holiday pictures and "family movies". What kind of privileges do you need to ready, write, modify or delete those files? The ones the user already has.

The main reason that not having an AV on Linux is mostly the same reason there is less commercial software

run scanner with lowest privileges

[weberjn]

No need that the scanner runs with LocalSystem rights, it could run standalone with no privileges and could be fed the files to scan by some RPC mechanism.

Re:

[Opportunist]

Yes, what really makes a system more secure is making it more complicated with more moving parts... try again.