The bug (CVE-2017-0290), tagged as “crazy bad” by the researchers, was present in the Microsoft Malware Protection Engine, a software component that fuels various anti-malware products including MS Security Essentials and the inbuilt Windows Defender tool in different Windows versions.
You can read more in the security advisory issued by Microsoft.