There’s a critical Remote Code Execution (RCE) vulnerability in Microsoft Defender that is being abused in the wild, Microsoft acknowledged today, identifying the bug — CVE-2021-1647 — as part of its Patch Tuesday.
Microsoft Defender is Windows’ native antivirus product, which bring stogether “machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization.” It comes as standard in Windows 10.
The Microsoft Defender RCE is fixed in Microsoft Malware Protection Engine version 1.1.17700.4 on/the last affected version is 1.1.17600.5. (Pop “Windows Security” into your Windows search bar, hit the settings cog at bottom left, then “about”, to find out which version you’re running. The engine typically auto-updates as needed; some will need to patch manually).
Microsoft offered no details about how extensive exploitation has been, but said attack complexity and privileges required were low, while attack resulted in a “total lack of confidentiality” under its scoring system. (Some unconfirmedspeculation could be seen circling that this related to a Microsoft breach reported in the wake of the SolarWinds compromise.)
For January 2021, Microsoft released patches for 83 CVEs covering Microsoft Windows, Edge, ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure: 10 listed as critical; 73 as important.
As the ZDI notes: “Five [of the critical bugs reported today] involve RCE bugs in the Remote Procedure Call (RPC) runtime. What’s really curious is that there are four Important-rated patches for RPC as well. However, the CVSS and other descriptors are all identical. There’s no indication why some are listed as Critical and others are listed as Important.”
For what it’s worth, 19,249 vulnerabilities and exposures (CVEs) were allocated in 2020 – over 52 every single day.