In this most recent Patch Tuesday, Microsoft included mitigation for a current Proof-of-Concept (POC) exploit for Windows Defender, CVE-2021-1647. This vulnerability allows for remote code execution from a low privileged user against the Malware Protection Engine component (mpengine.dll). According to Microsoft, an attacker would need to trick a user into opening a malicious document file on a computer with Windows Defender installed to trigger the exploit. A list of vulnerable versions can be found in the advisory here. While there are no publicly documented cases of this exploit being used, Microsoft stated that they were aware of an exploit in the wild that worked in some situations but was not stable. In any case, the criticality of this vulnerability should leave no room for inaction and should be patched immediately. Microsoft released a patch for the Malware Protection Engine that will be applied automatically, without any user interaction unless systems administrators have disabled it.
This vulnerability is not a first for Windows Defender and will likely not be the last. Maintaining a routine patching schedule and tracking vulnerable software is a best practice and a regular vulnerability management program can enable organizations to mitigate or manage the potential risks when POCs such as these are disclosed. In addition to the high profile bug in Windows Defender, Microsoft’s patch Tuesday also closed a vulnerability in the splwow64 service that could be used by attackers to elevate privileges after compromising a user account. Although these local privilege escalation vulnerabilities are not often given high priority, incident responders know that attackers most often begin intrusions by tricking a user into opening a document or running a program, then quickly pivot to escalating their privilege to become an administrator. That makes patching these vulnerabilities on employee workstations a high priority for security professionals.
References and Resources: