Security flaws are sometimes caused by products that should prevent attacks. Cybersecurity specialists detected a flaw in a Microsoft Defender update for Windows 10 that would allow the download of malware and other malicious files on the compromised system.
Exploiting this flaw would allow threat actors to deploy subsequent attacks, mainly from the variant known as living-off-the-land. Apparently the flaw is related to the MpCmdRun.exe command line, which has been abused to download malicious files from remote locations. This is an issue that has affected many other applications for Windows systems.
The flaw was reported by computer security expert Mohammad Askar, who mentions that the latest Update to Microsoft Defender includes a new argument identified as -DownloadFile. This new feature allows local users to use a Microsoft Antimalware command-line utility to download files from local locations using the following command:
MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]
BleepingComputer experts performed multiple tests, detecting that the feature was included in versions 4.18.2007.9 or 4.18.2009.9.
During testing experts managed to download a resources.exe file, a sample of the WastedLocker ransomware variant used in a recent cyberattack.
Fortunately it is not all bad news, as this flaw does not prevent Microsoft Defender from downloading downloaded malicious files abusing MpCmdRun.exe, although it is not yet checked if other antivirus solutions allow the program to elude its restrictions. At the moment Microsoft has not commented on the finding, although it is likely not to be considered as a security flaw.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.