Further remote vulnerabilities found in Windows Defender

Researchers have discovered further vulnerabilities in Microsoft's Windows Defender anti-malware software which, if left unpatched, can be remotely exploited.

Ian Beer, a security researcher with Google's Project Zero, discovered that the MsMpEng (Microsoft Malware Protection Engine) component of Defender has a flaw in how it handles "garbage collection", or freeing up computer memory once it has finished processing Javascript.

The bug is due to a design mistake and led to a use-after-free vulnerability that could be remotely exploitable. 

Beer provided a proof-of-concept script to demonstrate the vulnerability, which Microsoft has acknowledged and fixed in MsMpEng version 1.1.13804.0 with an update deployed automatically to users.

Microsoft also patched four other vulnerabilties in MsMpEng, reported to the company by Google's researchers.

Three of the flaws could be used by attackers to crash the MsMpEng process, but a fourth could be abused remotely as Defender did not properly scan specially crafted files, causing memory corruption.

In turn, the memory corruption could be exploited to execute arbitrary code with Windows LocalSystem privileges: to install programs, view, change or delete data, and create new accounts with full user rights, Microsoft said.

Earlier this month Microsoft addressed a serious vulnerability in Defender, found by Project Zero researcher Tavis Ormandy, which too could be used for remote code execution without user interaction.

Ormandy termed that particular vulnerability "the worst in recent memory."

Defender is the bundled security software for Microsoft's Windows 8.x and 10 operating systems, and it is turned on by default.

Microsoft also uses Defender and associated components in its Endpoint Protection, Forefront Endpoint Protection, Intune Endpoint Protection, Security Essentials and Exchange Server 2013 and 2016 applications.