Windows 10 security: Microsoft patches critical flaw in Windows Defender

Just scanning a specially-crafted file could lead to a totally compromised Windows machine.
Written by Liam Tung, Contributing Writer

Video: When it comes to malware, Windows 10 is twice as secure as Windows 7

Microsoft has rolled-out security updates to fix a critical remote code execution flaw affecting Windows Defender and other anti-malware products.

Ahead of April's Patch Tuesday, Microsoft has released patches for the critical flaw, which affects Microsoft Malware Protection Engine, or mpengine.dll, the core of Windows Defender in Windows 10.

"An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system," warns Microsoft.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Google Project Zero researcher Thomas Dullien, aka Halvar Flake, discovered that attackers can trigger a memory-corruption issue in the engine if they can get Windows Defender and other affected security products to scan a specially-crafted file.

Microsoft warns there are many ways an attacker could achieve this, including placing the file on a website, in an email or instant message, on any site that hosts files, or in a shared directory.

As with similar vulnerabilities reported last year by the UK's National Cyber Security Centre (NCSC) and Project Zero, an attack would be instant if the affected antivirus has real-time protection enabled.

"If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned," Microsoft notes.

"If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs for the vulnerability to be exploited. All systems running an affected version of anti-malware software are primarily at risk."

Also read: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness

Although the patch is being released before Microsoft's monthly security update, the bug, CVE2018-0986, is not an out-of-band patch as Microsoft updates the engine as needed.

Admins and end-users typically won't need to take action for the updates to install, due to built-in tools for deploying updates to the affected products, which also include Microsoft Security Essentials, and Forefront Endpoint Protection 2010, Microsoft Exchange Server 2013 and 2016, as well as Windows Intune Endpoint Protection.

Windows Defender for all supported versions of Windows and Windows Server are affected.

End-users should receive the fixed version of the Microsoft Malware Protection within 48 hours, according to Microsoft. The vulnerable version 1.1.14600.4 will be updated to version 1.1.14700.5.

Microsoft also notes that the default configuration for Microsoft's anti-malware products in the enterprise is to automatically receive updates.

Previous and related coverage

Windows 10 'Redstone 4' test build adds some Windows Defender security tweaks

Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.

Windows 10 bug: Microsoft fixes issue that broke USB, built-in cameras, keyboards

Microsoft has addressed a USB and onboard device bug it introduced in its February security update.

Windows 10 vs Windows 7: Microsoft's newer OS is almost 'twice as secure'

The volume of malware seen on Windows 10 devices is far lower than on Windows 7 machines, according to one security firm.

Windows 10 bug: Google again reveals code for 'important' unpatched flaw

For the second time in a week, Google reveals another unpatched Windows 10 vulnerability.

Windows 10 null character flaw keeps malware hidden from security scanning tools(TechRepublic)

The Windows 10 interface that allows apps to connect to antivirus software is truncating files, causing compromised code to come back clean.

Editorial standards