Thursday, 18 May 2023 13:16

Microsoft Stops Pushing Defender Update That Hid a Bug Due to Bugs

Written by

Reading time is around minutes.

Over the last few months Windows 11 users have dealt with an annoying bug in Windows Defender. The bug was a continuous restart prompt to “enable” LSA protection. The problem is that LSA was enabled the whole time. The system just did not acknowledge that his was complete and had a flag requiring a reboot to finish the configuration. To combat this Microsoft pushed out a patch that was really little more than removing the reboot flag from the registry.

For those that are not aware, LSA is Local Security Authority Protection. It is designed to prevent a few credential harvesting techniques that involve LSASS.exe (Local Security Authority Subsystem Service). This service handles authentication services and enforces security policy on a device. Attackers can dump memory of the LSASS process and potentially grab authentication tokens, password hashes and other fun things like that. It is a sensitive process and a well-known target for threat actors.

Microsoft has flipflopped on LSA as part of defender for a while including removing the name of the feature while leaving it active in the background (by default). Instead of LSA security, they now have a much more serious sounding Kernel-mode Hardware-enforced Stack Protection. The change was allegedly only supposed to be pushed to insider previews copies of Windows 11 but was rolled out to 22H2 as well. The buggy fix came when Microsoft rolled out KB5007651. This update was supposed to fix the prompts that many were getting about the reboot, but in the end, it has created problems, so Microsoft is no longer pushing it out.

Things get worse as we have heard that the new Krenel-mode Hardware-enforced stack Protection service is conflicting with some anti-cheat software. The issue is significant enough that when the anti-cheat mechanism tries to do its job it can result in a BSOD (Blue Screen of Death) and/or a reboot. This sure makes gaming a pain in the ass. On the other side, I still cannot fathom why an anti-cheat piece of software needs to do anything with the memory space around the LSASS process in the first place. Having worked for an Anti-Malware company that had memory protection, when I first saw these calls and reads of memory from popular anti-cheat software, they made no sense. Even after talking to some developers, they still made no sense. The calls, reads, and dumps of and to the memory space around a secure process should not be happening and to require them, to me, is just bad coding.

Microsoft’s current remedy for this “feature” is to completely disable the security protection. This leaves users in an awkward position, they can either decrease the security of their device, or stop playing the game. That is a very fun choice. For companies that allow BYOD, or for their users to treat corporate assets like their own, things are even worse. Of course, the reality is that there should be stricter controls over any device that has access to corporate data. If this means that gaming needs to be blocked, so be it. Still in the end modern anti-cheat software/processes also need to be much more security conscious. There should not be a need to mess with LSASS or the memory space it is using. Full Stop.

Read 1197 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.