A serious vulnerability in Windows Defender has been patched in 2 days

The security team at Google Project Zero found a vulnerability in the Antimalware Service Executable (MsMpEng), which is enabled by default on all Windows 8, 8.1, 10 and server versions: 2012 and 2016, with the difference that in Windows Server 2012 Windows Defender antivirus is not available.


The published exploit temporarily disables real-time protection.

For end users, this means that both Windows Defender and Microsoft Security Essentials and a central console for System Center Endpoint Protection companies, as well as other MS products using the same core were susceptible to remote execution of arbitrary code. For example, on workstations it was possible to execute commands with the highest permissions (NT AUTHORITY \ SYSTEM) by providing the victim system with a link to download the attachment in the browser, messenger, in an e-mail.


Published proof of concept disables the MsMpEng service for a few moments or until the next computer restart, which is responsible for real-time protection.

The attached proof of concept is a failure to MsMpEng in the default configuration and possibly destabilize your system. Care Extra care Extra care Extra Windows Extra Windows Extra Windows Extra Windows Extra Extra Extra. IIS, and so on.

This is just an example of using an exploit developed by Natalie Silvanovich and Tavis Ormanda from the Google Project Zero team.

Most importantly, unauthorized code execution was possible without opening the attachment. The anti-malware service included vulnerability, which gave the attacker access to a part of the Microsoft antivirus engine responsible for scanning everything that gets to the protected system regardless of the source: browser, messenger, e-mail, USB, etc.

Microsoft released the update 2 days after the notification and it is now available in Windows Update.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.