Microsoft patches anti-virus bug that allowed boobytrapped files to run malicious code when scanned

Microsoft Defender bug was being actively exploited.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Microsoft patches anti-virus bug that allowed boobytrapped files to run malicious code when scanned

This week, as part of its long-standing monthly “Patch Tuesday” regime, Microsoft released security updates to fix more than 80 flaws in its software.

Amongst the critical security vulnerabilities patched by Microsoft was one that – ironically – exploited usage of the company’s own Windows security product, Microsoft Defender Antivirus.

The actively-exploited remote code execution flaw (given the technical name of CVE-2021-1647) can be triggered by the mere act of Microsoft Defender attempting to scan a boobytrapped file for malware.

Sign up to our free newsletter.
Security news, advice, and tips.

And as Microsoft Defender is always attempting to protect users from malware attacks that means that a user doesn’t have to be duped into clicking on an executable file or dangerous link to activate the attack.

As soon as Microsoft Defender sees the boobytrapped file on your computer it will try to scan it, get its knickers in a twist, and allow malicious code to run instead.

D’oh!

The good news is that your installation of Microsoft Defender is almost certainly already protected, as it is pretty much constantly updating itself anyway to deal with new malware threats – it’s just that on this occasion the dodgy code that it is arguably protecting you from was written by Microsoft’s own developers!

Version 1.1.17700.4 and later of the Microsoft malware protection engine are said to not be affected by the flaw – so check that you are running the latest version of the Microsoft Defender software, and ensure that it is up-to-date with its malware definitions.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.