Microsoft has quietly fixed a serious bug in its Windows Defender antivirus software that allowed hackers to hijack infected PCs.
The vulnerability was found in the software's malware protection engine, which is designed to regularly scan files for computer viruses. UK authorities discovered that it could actually be exploited when scanning a "special crafted file," according to Microsoft's security advisory.
Getting the rigged file on to a PC could happen in a number ways. Imagine a convincing phishing email or instant message loaded with the attachment. Victims wouldn't even have to open the file; they would simply need to download it, and let Windows Defender scan it.
The threat is especially serious for PCs that enabled Windows Defender real-time protection, which will scan downloaded files automatically.
Fortunately, Microsoft issued a fix that is automatically rolling out to its Windows Defender and Security Essentials software. Users don't need to install any update.
The UK's National Cyber Security Centre —which defends the country from cyber attacks— discovered the flaw, suggesting that it may have been used in a real hack.
It isn't the first time a serious bug has been found in Windows Defender. In May, Google security researchers discovered a remote code execution flaw with the software that was described as "crazy bad." That bug also worked when the malware protection engine scanned a rigged file. Microsoft quickly issued a fix.
Watch: How Your Password Was Stolen
Current Time 0:00
Duration Time 0:00
Remaining Time -0:00
- descriptions off, selected
- undefined settings, opens undefined settings dialog
- captions and subtitles off, selected
This is a modal window.
No compatible source was found for this media.
Beginning of dialog window. Escape will cancel and close the window.
Font Size50%Text Edge StyleNoneFont FamilyProportional Sans-Serif
End of dialog window.