Microsoft released the second-largest security patch in its history in July with 123 security issues fixed. The largest was launched in January of this year and fixed 129 security flaws. However, this does not prevent new security problems from being located. Normally, it is given to those of Redmond (and other companies), 90 days to solve them before making them public. One of the latter is related to the app store.
What is wsreset.exe and what does it do with the antivirus?
Security researcher Daniel Gebert has found that wsreset.exe can be “abused” to delete random files from the operating system. This executable works with elevated privileges in Windows 10 because it acts on the system settings. In this case, it is an application store tool that reset all settings and stored content without deleting applications or user accounts.
At the time of create temporary files and cookies, the app store does it in these two locations:
% UserProfile% AppDataLocalPackagesMicrosoft.WindowsStore_8wekyb3d8bbweACINetCache
% UserProfile% AppDataLocalPackagesMicrosoft.WindowsStore_8wekyb3d8bbweACINetCookies
The attack starts by deleting the INetCookies folder and “Linking it” with a privileged location of the system. In the example shown, with “C: WindowsSystem32driversetc”. Now when we run the wsreset.exe tool, it removes the contents of System32 instead of INetCookies. This allows you to skip the antivirus protection as we will see now.
In the example they tell us that the antivirus Adaware save your settings in “C: ProgramDataadawareadaware antivirus”. “Normal” users cannot delete this folder, but we can do the “trick” above so that wsreset.exe takes care of everything. By restarting the system again, the antivirus has been permanently disabled and will no longer scan threats in real time.
As we can see, we have been shown an example to delete folders from the operating system or disable the antivirus, but the security problem of wsreset.exe can allow many other “evils”. Among them, we could even skip the UAC or User Account Control.
How long will it take for Microsoft to fix the problem?