Researcher Kasif Dekel disclosed a vulnerability in the product that allows privilege escalation in a computer. The vulnerability identified as CVE-2021-2409 existed in Windows Defender at least 12 years, and enables attackers to function as administrators (in other words, users with strong privileges) and change various parameters in the attacked computer.
The vulnerability exists in the mechanism that removes malicious programs that installed themselves in the computer. After removing the malware, the program creates a temporary file that serves as a placeholder, but this file is not protected and has system access privileges, and thus theoretically attackers could install their files in the system using a security product that is supposed to protect the computer.
The bug has existed in Windows since at least the introduction of Windows 7 in 2009, and may also have been in older versions. There is no indication that attackers discovered the flaw before the researchers, but the vulnerability has existed for at least 12 years, so it is certainly possible. After SentinelOne researchers reported the flaw in November 2020, Microsoft released a patch for CVE-2021-2409 last week and urged all users to install it.
It is very possible that now that the vulnerability is known, attackers will develop malware that will exploit it, and search for users with non-updated systems who do not know how or do not bother to install security updates, and thus are vulnerable to this kind of attack. SentinelOne said their customers are already protected from the vulnerability.