Microsoft patches anti-virus bug that allowed boobytrapped files to run malicious code when scanned

Microsoft Defender bug was being actively exploited.

Graham Cluley
Graham Cluley
@[email protected]

Microsoft patches anti-virus bug that allowed boobytrapped files to run malicious code when scanned

This week, as part of its long-standing monthly “Patch Tuesday” regime, Microsoft released security updates to fix more than 80 flaws in its software.

Amongst the critical security vulnerabilities patched by Microsoft was one that – ironically – exploited usage of the company’s own Windows security product, Microsoft Defender Antivirus.

The actively-exploited remote code execution flaw (given the technical name of CVE-2021-1647) can be triggered by the mere act of Microsoft Defender attempting to scan a boobytrapped file for malware.

Sign up to our free newsletter.
Security news, advice, and tips.

And as Microsoft Defender is always attempting to protect users from malware attacks that means that a user doesn’t have to be duped into clicking on an executable file or dangerous link to activate the attack.

As soon as Microsoft Defender sees the boobytrapped file on your computer it will try to scan it, get its knickers in a twist, and allow malicious code to run instead.


The good news is that your installation of Microsoft Defender is almost certainly already protected, as it is pretty much constantly updating itself anyway to deal with new malware threats – it’s just that on this occasion the dodgy code that it is arguably protecting you from was written by Microsoft’s own developers!

Version 1.1.17700.4 and later of the Microsoft malware protection engine are said to not be affected by the flaw – so check that you are running the latest version of the Microsoft Defender software, and ensure that it is up-to-date with its malware definitions.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.