Microsoft fixes a Windows Defender remote code execution vulnerability

By: Costea Lestoc
2 minute read

Microsoft recently published the Security Advisory 4022344, announcing a severe security vulnerability in the Malware Protection Engine.

Microsoft Malware Protection Engine

This tool is used by various Microsoft products such as Windows Defender and Microsoft Security Essentials on consumer PCs. It is also used by Microsoft Endpoint Protection, Microsoft Forefront, Microsoft System Center Endpoint Protection, or Windows Intune Endpoint Protection on the business side.

The vulnerability that affected all these products could allow for remote code execution if a program running the Microsoft Malware Protection Engine scanned a crafted file.

Windows Defender vulnerability fixed

Tavis Ormandy and Natalie Silvanovich from Google Project Zero discovered the “worst Windows remote code exec in recent memory” on May 6th, 2017. The researchers told Microsoft about this vulnerability and the information was kept hidden from the public in order to give the company 90 days to fix it.

Microsoft quickly created a patch and pushed out new versions of Windows Defender and more to users.

Windows customers who have the affected products running on their devices must make sure that they’re updated.

Update the program on Windows 10

  • Tap the Windows key, type Windows Defender, and hit Enter to load the program.
  • If you run the Windows 10 Creators Update, you’ll get the new Windows Defender Security Center.
  • Click the cogwheel icon.
  • Select About on the next page.
  • Check the Engine Version to make sure it’s at least 1.1.13704.0.

Windows Defender updates are available through Windows Update. More information on updating Microsoft anti-malware products manually is available on the Malware Protection center on the Microsoft website.

Google vulnerability report on the Project Zero website

Here it is:

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.


For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).


Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading