Security experts have found a glaring bug in Microsoft’s antivirus engine that powers Windows Defender, which can be used to remotely compromise a PC; it’s been described as a ‘crazy bad’ vulnerability by one researcher – although a patch for the flaw has now been deployed.
Tavis Ormandy of Google’s Project Zero (who found the bug, working with Natalie Silvanovich) described how the critical vulnerability could be leveraged against Windows 8/8.1 and Windows 10 PCs with a default installation, and triggered with no action taken by the user.
All that has to happen is for the malware protection engine to scan a specially crafted file sent by an attacker, at which point it will inadvertently trigger the malware, allowing said attacker to remotely gain control of the system – and then carry out whatever nastiness they desire.
So, for example, you could get a malware-laden email and not even read it (let alone go near an attachment), and still be hit by the exploit because the malware protection engine will automatically scan it and trigger it – all in the background while you remain blissfully unaware.
Of course, the irony is that Windows Defender (and Microsoft’s other security products that run its malware protection engine, such as Security Essentials) is supposed to protect your PC, but in this case it’s working against it.
As this is a very serious bug Microsoft has been quick to respond, and has already issued an update for Windows Defender – it (and other software using Microsoft’s antivirus engine) should update itself automatically within 48 hours of the patch being released, Microsoft said yesterday.
As Engadget reports, you can check if the issue is fixed on your PC simply by looking at the engine version number of Windows Defender: it should be version 1.1.13704.0 or higher.
On Windows 10, you can check this simply by typing ‘Windows Defender’ into the search box on the taskbar (next to the Start button) to bring the app up, and then click on Settings.
Of course, you needn’t worry if you’ve switched off Windows Defender and are using an alternative third-party antivirus solution.
This vulnerability could also potentially hit business users, as it affects Windows Server 2012 and enterprise security products like Microsoft Endpoint Protection. To see the full list of affected products check out Microsoft’s security advisory on the problem.
Google’s Tavis Ormandy is a big presence in the security world these days, often finding vulnerabilities in major pieces of antivirus software – and he certainly isn’t afraid of criticising these products.
Microsoft, however, has at least earned some brownie points here in terms of the speed of its response. But obviously, in an ideal world this sort of gaping hole – which can be exploited without any user interaction – shouldn’t exist in the first place.