Known as “Aikido”, the PoC does work and Microsoft has already confirmed that Microsoft Defender was open to the vulnerability. The company says it has already rolled out a patch to fix the flaw. Yair called the attack Aikido after the martial art that relies on using opponents’ moves against them. It is a fitting name because the PoC does just that, taking the tools of anti-malware software and fooling them. Major anti-virus companies like AVG, TrendMicro, and Avast were also vulnerable, while McAfee and other vendors were not. According to Yair, Aikido is a wiper that leverages a time-of-check to time-of-use (TOCTOU) vulnerability. When the anti-virus program detects a file as malicious, it will delete it. What the PoC does it use a TOCOTU to add a different path following the first detection to lead it to a legitimate file.
Attack Method
The attack would start by creating a new path with a malicious file at C:\temp\Windows\System32\drivers\ndis.sys. Next the TOCTOU would hold the handle and force the program to postpone the file deletions until the next reboot. It would then delete the C:\temp directory and replace it with the junction C:\temp → C:. Lastly, the reboot would happen and the scheduled deletion would happen to the new file junction instead of the malicious file. While the regular Microsoft Defender was/is vulnerable to this type of attack, Defender for Endpoint acts differently. It will delete a whole folder instead of a file. Microsoft acknowledges the issue and give it the ID “CVE-2022-37971“. A patch was made available through the new Microsoft Malware Protection Engine version 1.1.19700.2. Tip of the day: With many reachable wireless access points popping up and disappearing again, the available networks list can become quite annoying. If needed you can use the allowed and blocked filter list of Windows to block certain WiFi networks or all unknown WiFi networks.