Microsoft has patched two flaws in Windows Defender that could have been abused to trigger denial-of-service attacks, potentially knocking over the security engine itself and destabilizing protection on Windows machines. The bugs sat in the Malware Protection Engine, the part that scans and processes suspicious files, and they were fixed through automatic updates already rolling out to users.
The timing is awkward in the best possible way: defenders got the Windows Defender patch first, and attackers do not appear to have a public success story to point to yet. That matters because security products are increasingly targeted as a way to disable the gate before trying to get in the door.
What Microsoft fixed in Windows Defender
The affected component was the Malware Protection Engine, which handles scanning and threat processing inside Windows Defender. Microsoft says the issues were addressed in engine versions 1.1.26040.8 and 4.18.26040.7.
- Affected area: Malware Protection Engine
- Risk: denial-of-service attack
- Fixed versions: 1.1.26040.8 and 4.18.26040.7
How to check the Windows Defender update in Windows Security
Users with automatic updates enabled should already have received the fix, but Microsoft still advises checking manually in Windows Security. The path is straightforward: open Virus and threat protection, select Protection updates, and run a check for updates.
You can also verify the Malware Protection Engine version in the About section and compare it with the patched numbers. That is a small chore, but far cheaper than discovering your security layer is the thing misbehaving.
Why this Windows Defender flaw matters
There are no confirmed reports of mass exploitation so far, according to the available information. Still, attacks against antivirus engines have a familiar logic: if you cannot easily beat the defenses, try to make them crash, stall, or look away.
Microsoft’s advice is the usual one, but it is also the correct one: keep updates on, and let the software do the boring maintenance work before someone else turns it into a problem.