Microsoft patches critical security bug in Windows Defender

If you're running Windows Defender (quite a strong possibility if you're running Windows), make sure you've got all your updates. Microsoft issued a patch this past Monday for a vulnerability in its malware protection engine that could allow a remote attacker to gain control over any affected system simply by sending the victim a specially-crafted e-mail or instant message. The exploit can be activated when Windows Defender simply scans a piece of data, and doesn't require any action behalf of a local user to take effect.

The vulnerability itself lies in NScript, a Defender component. NScript thoroughly checks in-flight data (whether on disk or network) that appears to contain JavaScript. The component runs completely un-sandboxed despite checking untrusted code. Given that Defender is one of Windows' most privileged processes, the vulnerability gives an attacker complete control over the system. To make matters worse, since it doesn't require user input, the flaw could be exploited programmatically. That means that someone could craft a self-replicating worm that uses the exploit to spread from system to system.

The first public news of the flaw came from a series of tweets by one of the folks who discovered it. Tavis Ormandy and Natalie Silvanovich both work for Google's Project Zero security research team. The pair tweeted vaguely about the vulnerability on Friday night, saying it was "the worst Windows remote code execution flaw in recent memory." Despite requests for further details, the pair declined to provide any further information, saying that they would wait until it was patched.

Fortunately, Microsoft has already issued a patch for the bug. If you want to make sure your system is up-to-date, check your Engine version in "Windows Defender settings." Version 1.1.13704 is the patched version. Of course, people relying on third-party anti-malware software don't have to worry about it.

Comments closed
    • Bauxite
    • 2 years ago

    When AV is worse than no AV…

    • just brew it!
    • 2 years ago

    Way to go, MS. Always nice to have your malware protection product be a malware infection vector with a security hole in it big enough to drive an 18-wheeler through.

    Please put your A Team on Windows Defender next time, hmm? Pretty-please?

      • RAGEPRO
      • 2 years ago

      Hahaha! I lol’d hard.

    • arunphilip
    • 2 years ago

    Windows 10 Creators Update brought in ‘[i<]Windows Defender Security Center[/i<]' that doesn't seem to expose the engine version anywhere easily - it only shows the definition version and date. Instead, to view the engine version, go to [i<]Settings > Update & Security > Windows Defender[/i<]. I went down a few blind alleys trying to get the engine version, so thought of sharing it with you.

      • LostCat
      • 2 years ago

      ooh, thanks. Though, I updated so I knew I had it.

      • K-L-Waster
      • 2 years ago

      Yes, finding the version number was far more obscure than it really should have been…

        • Welch
        • 2 years ago

        Good ol’ “security through obscurity” I always say!

      • digitalnut
      • 2 years ago

      Another way is to click on the Settings button (bottom left) in “Windows Defender Security Center”, then click on “About” on the right side.

    • davidbowser
    • 2 years ago

    The same engine is included in Microsoft Security Essentials for Win7.

    Make sure you check Help-About to ensure your Engine is 1.1.13704 or newer.

    • tsk
    • 2 years ago

    Thank you for your excellent work Microsoft, we also look forward to when Windows 10 Home gets replaced with Windows 10 S.

      • Voldenuit
      • 2 years ago

      Oops. Looks like by typing text into a BBCode input box, you’ve downloaded a virus through Edge.

Pin It on Pinterest

Share This