Microsoft plugs another critical hole in Windows Defender

Microsoft patched a critical RCE vulnerability in its Malware Protection Engine that could have been exploited without any user interaction

Microsoft plugs another critical hole in Windows Defender
Microsoft/Rob Schultz/IDG

Periodically, you might notice Windows notifications about the health of your PC. They are a result of the Windows Defender antivirus tool scanning your box for potential issues. It doesn’t really matter if you wanted Windows Defender to run or not as it is a part of Windows.

Sure, you can turn off real-time protection, but it will eventually be turned back on automatically. This leaves you wide open if Windows Defender has a nasty bug. On Friday, Microsoft plugged (yet another) critical hole in Windows Defender that could have been exploited without any user interaction.

In reality, the critical vulnerability in Microsoft’s Malware Protection Engine was not being exploited. For that, we should be thankful, since the remote code execution vulnerability was so easy to exploit that it would have resulted in epic pwnage. In fact, after Google Project Zero’s Tavis Ormandy discovered the flaw, he had to encrypt the proof-of-concept demo file before sending it to Microsoft so it wouldn’t potentially crash Microsoft’s email servers.

Ormandy included the warning in his technical writeup: “Note that as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system. The testcases have been encrypted to prevent crashing your exchange server.”

He found the bug immediately after writing a fuzzer.

“I suspect this has never been fuzzed before,” Ormandy said.

He discovered the vulnerability on June 7, he but didn’t go public with the report until June 23 after Microsoft released a security update to patch the gaping hole.

Regarding the RCE flaw in Microsoft Malware Protection Engine, Microsoft wrote, “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attacker could have exploited this bug in numerous ways, be it tricking a user into visiting a malicious website that would download a file or sending the file via email or messenger. The malicious file would be scanned by the Microsoft Malware Protection Engine automatically if real-time protection is turned on, and boom.

Affected products

Affected products include x86 and 32-bit based versions of the Malware Protection Engine found in Windows Defender, Microsoft Security Essentials, Windows Intune Endpoint Protection, Microsoft Endpoint Protection and Microsoft Forefront Endpoint Protection. The security update has already rolled out and the fixed engine version is 1.1.13903.0.

This is not the first and likely not the last time Ormandy will uncover critical flaws in Windows Defender. This also isn’t the first time he encrypted a proof-of-concept demo before sending in his bug report. In May, when he discovered a “crazy bad” RCE flaw in Windows, Ormandy also encrypted it before sending it to Microsoft. It, too, affected the Microsoft Malware Protection Engine.

As Ars Technica’s Dan Goodin pointed out, this “was the third critical Windows Defender vulnerability Project Zero researchers have uncovered in the past seven weeks.”

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!