HomeWinBuzzer NewsMicrosoft Issues Special Patch for Critical Windows Defender Flaw

Microsoft Issues Special Patch for Critical Windows Defender Flaw

Ahead of Patch Tuesday, Microsoft has sent out a fix for Windows Defender and anti-malware tools that are vulnerable due to a flaw in the Malware Protection Engine.


It is not time for in April, but is making a rare move by issuing an early fix. Specifically, the company has rolled out security updates to solve a remote code execution issue in and third-party anti-malware programs.

Microsoft typically reserves patches for Patch Tuesday. The monthly roll outs are part of the company's Windows as a service ethos, which also includes twice-yearly feature updates. However, the Windows Defender flaw was deemed critical and needed a quicker patch.

Indeed, it must have been fairly problematic as the regular Patch Tuesday is less than a week away. Microsoft says the Malware Protection Engine (mpengine.dll) is vulnerable to attack. Considering it is the very core of the company's Windows Defender anti-malware service in .

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” Microsoft says.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability was discovered by , which is becoming a nemesis of Microsoft. We have written before about this dispute. Project Zero finds zero-day problems and gives software companies 90-days to fix the problem before disclosing it. Microsoft disagrees with the approach as it believe should work with companies to solve problems and not punish them.

Possible Hacking Path

Either way, this Windows Defender flaw potentially gives attackers the ability to cause a memory corruption problem on a PC. This would be possible if the hacker makes Windows Defender scan a specific file created to access the engine. The flaw would also cause the same path for third-party security platforms.

Microsoft says an attacker could achieve this file placement in several ways. For example, putting the corrupt file on a website, in an email, or a file hosting website and waiting for Windows Defender to scan it.

“If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned,” Microsoft notes.

“If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs for the vulnerability to be exploited. All systems running an affected version of anti-malware software are primarily at risk.”

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News