An vulnerability in the quarantaine feature of several antivirus applications does not affect Windows Defender, according to Microsoft in a blog on its website. The vulnerability, called AVGater, was revealed yesterday by security researcher Florian Bogner.
To exploit the vulnerability, the virus scanner has to detect a malcious DLL file and move it into quarantaine. The attacker is able to move the quarantined DLL file to the folder of an application which then loads the malcious DLL file which then executes the code of the attacker with full system privileges.
According to Microsoft it’s a relative old attack vector and Windows Defender has never been vulnerable to it, according to Microsoft, “because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.”
AVGater has already been patched by several antivirus companies, other vendors are still working on an update.