Windows Defender own

It is not time for Patch Tuesday in April, but Microsoft is making a rare move by issuing an early fix. Specifically, the company has rolled out security updates to solve a remote code execution issue in Windows Defender and third-party anti-malware programs.

Microsoft typically reserves patches for Patch Tuesday. The monthly roll outs are part of the company’s Windows as a service ethos, which also includes twice-yearly feature updates. However, the Windows Defender flaw was deemed critical and needed a quicker patch.

Indeed, it must have been fairly problematic as the regular Patch Tuesday is less than a week away. Microsoft says the Malware Protection Engine (mpengine.dll) is vulnerable to attack. Considering it is the very core of the company’s Windows Defender anti-malware service in Windows 10.

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” Microsoft says.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability was discovered by Google Project Zero, which is becoming a nemesis of Microsoft. We have written before about this dispute. Project Zero finds zero-day problems and gives software companies 90-days to fix the problem before disclosing it. Microsoft disagrees with the approach as it believe Google should work with companies to solve problems and not punish them.

Possible Hacking Path

Either way, this Windows Defender flaw potentially gives attackers the ability to cause a memory corruption problem on a PC. This would be possible if the hacker makes Windows Defender scan a specific file created to access the engine. The flaw would also cause the same path for third-party security platforms.

Microsoft says an attacker could achieve this file placement in several ways. For example, putting the corrupt file on a website, in an email, or a file hosting website and waiting for Windows Defender to scan it.

“If the affected anti-malware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned,” Microsoft notes.

“If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs for the vulnerability to be exploited. All systems running an affected version of anti-malware software are primarily at risk.”