Microsoft has patched two flaws that could allow attackers to exploit Windows’ built-in defences to take over a PC–simply by sending the target an email.

The out-of-band patch addresses two severe vulnerabilities in the Microsoft Malware Protection Engine at the core of Windows Defender anti-virus software–which is bundled with all recent versions of Windows.

To exploit the flaws, CVE-2017-11937 and CVE-2017-11940, attackers would need the Malware Protection Engine on the target PC to scan a specially crafted file, which would allow the attacker to execute arbitrary code, and could eventually lead them to gain full user rights.

SEE: Zero day exploits: The smart person’s guide (TechRepublic)

As with earlier vulnerabilities in the Microsoft Malware Protection Engine–described as “crazy bad” by security researchers–an attacker could take over a system just by sending an email to the target, without the need for an attachment to be opened, due to Windows Defender typically scanning everything written to disk on the PC.

This malicious file could also be delivered to a user when they viewed a website or received an attachment in an Instant Messenger message.

Those who had real-time protection turned on in Windows Defender would have the exploit triggered immediately, otherwise the exploit would run next time a scheduled scan took place.

The flaws were discovered by the National Cyber Security Centre (NCSC), a group within the UK spy agency GCHQ that advises government and public on cyber defense.

The bugs affect Windows Defender for all supported Windows PCs and servers, as well as Endpoint Protection, Exchange Server 2013 and 2016, Forefront, Windows Intune Endpoint Protection and Security Essentials.

The flaws have not been made public and Microsoft says they are not thought to have been exploited.

Typically, the patches should be applied to the Microsoft Malware Protection Engine within 48 hours of release, and shouldn’t require any additional action by admins.

Over the course of the year Google’s Project Zero researchers have reported 10 bugs in the Microsoft Malware Protection Engine, with a mixture of remote code execution and denial of service flaws.

Also see: