Microsoft Defender is the default antivirus on Windows, protecting millions of users every day. However, even Defender isn’t immune to bugs. In early 2023, Microsoft quietly fixed a serious denial of service (DoS) vulnerability tracked as CVE-2023-24860. This vulnerability didn’t allow attackers to take over computers, but it could let them crash or hang the Defender service, potentially leaving systems unprotected.
Let’s dig deep into this issue: what caused it, how attackers could exploit it, and what the protection measures are. This article breaks it down in simple language—with a technical deep dive and even a code snippet to show the attack in action.
What Is CVE-2023-24860?
CVE-2023-24860 is a Denial of Service (DoS) vulnerability in Microsoft Defender Antivirus. This bug allowed a remote or local attacker to tamper with files in a way that caused Defender’s core engine to crash. When Defender crashed, it temporarily disabled real-time protection, leaving the victim’s computer wide open until the service restarted.
Severity: Medium (CVSS score: 6.5)
Patched On: March 14, 2023
Patched In: Microsoft Defender engine version 1.1.20200.4 and later
How Does the Vulnerability Work?
At its core, Defender scans files on disk. This vulnerability happened because Defender did not properly handle malformed or specially crafted files, leading to a crash (read: system resource failure like an unhandled exception or out-of-memory) when trying to scan them.
Defender scans the file (either automatically or via a manual scan).
3. The scan triggers a flaw in the file parser—causing an unhandled exception or out-of-memory error.
Protection is temporarily disabled until Windows restarts Defender or the user notices.
Note: Attackers can NOT run code, but the DoS creates a window of opportunity for other malware.
Real-World Exploit Scenario
Suppose an attacker emails a file named exploit.xyz with content designed to break the file parser. That file is saved to C:\Users\User\Downloads\exploit.xyz.
When Defender scans the file (automatically or manually), it crashes, causing Windows Security to display a warning (“Threat service has stopped”).
Vulnerable File Example (Code Snippet)
Since Microsoft didn’t release full details, security researchers tried fuzzing Defender with malformed files. Here’s a Python code snippet that creates a file Defender’s parser might fail on (for educational/research use only):
# Create a malformed archive with huge recursive directory depth
import zipfile
archive_name = "malicious_recursive.zip"
# Create an archive with artificially deep folder structure
depth = 100
nested_path = "/".join(["A"] * depth) + "/evil.txt"
with zipfile.ZipFile(archive_name, 'w') as zipf:
zipf.writestr(nested_path, "boom!")
print(f"Archive {archive_name} created with depth {depth}")
What this does:
Generates a zip file containing a text file nested a thousand folders deep.
- When Defender tries to scan this zip, it might run into resource exhaustion (stack overflow, out-of-memory)—potentially crashing the service.
Note: Never use this code against any system except your own for testing!
Check your Defender version
Get-MpComputerStatus | Select-Object AMEngineVersion
Microsoft Security Guidance:
CVE-2023-24860 | Microsoft Defender for Endpoint Denial of Service Vulnerability
NVD Details:
Original Patch Info:
Microsoft Defender Antivirus March 2023 Security Updates
Final Thoughts
CVE-2023-24860 wasn’t the kind of exploit that let hackers run code, but for a security product, a crash is a big deal. It creates a window when malware can slip through unnoticed. Microsoft has patched this, so make sure your Defender engine is up to date.
If you’re a researcher or IT pro, it’s smart to keep an eye on these sorts of bugs. Bugs in security software can be just as dangerous as bugs in Windows itself.
Stay safe, keep your software updated, and always think twice before opening strange files!
Timeline
Published on: 04/11/2023 21:15:00 UTC
Last modified on: 04/19/2023 13:47:00 UTC