Major Microsoft Windows Defender flaw discovered by Google employee, patch released right away

by Radu Tyrsina
Radu Tyrsina
Radu Tyrsina
CEO & Founder
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time). For most of the kids of... read more
Affiliate Disclosure

By now, it’s obvious that Microsoft is pushing hard to make Windows Defender the standard, go-to security solution for Windows 10. It would seem that it’s quite a long way from that still as yet another critical flaw has been found in Windows Defender. The issue was brought to light by Tavis Ormandy, a security engineer for Google.

Google Project Zero

Tavis works at Google under the Project Zero initiative, a task force of sorts which aims to find critical problems within released software. Upon finding critical issues with the software, the software developer/vendor is contacted and asked to fix the problem.

After that, Project Zero gives the vendor 90 days to fix the problem. If a patch is not released in this time period, Google’s task force will take matters into its own hands and make the issue public, in service of the vendor’s customers which need to be informed about the major problem or problems found within the software they pay for.

Already on the job

There was no need for the second part of the initiative to take place this time as Microsoft already released a patch for the security vulnerability.

As for the actual vulnerability, the x86 emulator for Windows Defender was un-sandboxed. This might have impacted it negatively. The emulator was also affected by a bug. Ormandy contacted Microsoft directly to inquire about their decision of exposing the apicall instruction. Here is what the Windows maker had to say in response to Tavis Ormandy:

“I discussed Microsoft’s ‘apicall’ instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if this was intentionally exposed, and they replied ‘The apicall instruction is exposed for multiple reasons’, so this is intentional”

Windows Defender update

The problem has been already patched, as previously mentioned, but users still need to apply said patch. For those trying to figure out whether or not they have the latest patch which contains the fix, that patch updates the Malware Protection Engine to version The current version installed on a PC can be checked in the Windows Defender section in Windows, which is under Update & Security.


This article covers:Topics: