Microsoft fixes "crazy bad" Windows Defender vulnerability

Reading time icon 2 min. read

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Microsoft has acted quickly to squash the “crazy bad” Windows vulnerability Google security researcher Tavis Ormandy tweeted about 3 days ago.

The issue turned out to be a problem with Windows Defender, which was vulnerable to being corrupted automatically as it was doing its duty scanning your email, turning from a protector into the attacker.

In their advisory Microsoft writes:

Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft. The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section for a list of affected products. Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

As Ormandy warned, the exploit could be sent from PC to PC via email and could exploit a PC without the user even opening the email, meaning if unpatched it could spread like wildfire.

The current version of Windows Defender is 1.1.13701.0 with Microsoft pushing out a new version 1.1.13704.0 which addresses the vulnerability. Because Microsoft’s anti-malware engine is affected, not just Windows Defender (from Windows 7 to Windows 10) is affected, but also Microsoft Forefront Endpoint Protection 2010, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center Endpoint Protection, Microsoft Security Essentials and Windows Intune Endpoint Protection was vulnerable.

The update should reach all affected devices within 48 hours.

Read more about the issue at Technet here.