In order to take over computers, one had to put the system only a manipulated RAR archive. By default, Windows Defender has the option to automatically scan files, so the archive file is also analyzed directly when it becomes available to the software – which can happen if the file is in a network drive or attached to a message spin.
The scan process alone is enough to execute specially prepared code in the file. An interaction of the user is therefore not required. The code then runs with LocalSystem rights, which means there are virtually no restrictions and the computer can be regarded as completely taken over.
The piquant thing: Microsoft has not even produced the mistake itself. Meanwhile, Google security researcher Halvar Flake, who discovered the bug in Windows Defender, traced the bug back to an older version of Unrar archiving software. Microsoft had the code of the open source project geforked at some point and built into its virus scanner so that it can also look at the contents of RAR archives.
The whole thing was obviously not discovered for a long time, because the bug in the original code did not come to fruition. Only in connection with the implementation in the Windows Defender it unfolded its effect in possible memory corruption actions, which in the more favorable case shoot down only the virus scanner, but also let foreign code pass deep into the system.
Basically, the bug is also an example of the basic problems that come with the use of anti-virus software and due to which corresponding products with many security experts encounter rejection. Because the protection afforded by the programs is quite manageable on regularly updated systems, while a bug not only tears open the gates for malware, but also paves the way through all other security layers.