Privilege Escalation via Link Following
Microsoft has confirmed that two vulnerabilities in its Defender security suite are being actively exploited in real world attacks. The first issue allows an authenticated local attacker to elevate their privileges to SYSTEM level by tricking Defender into following specially crafted links or directory junctions during file scans. This flaw originates from improper link resolution within Defender’s scanning logic. Once an attacker gains SYSTEM access, they can disable security tools, install persistent malware, steal sensitive data, or create new high privilege accounts, significantly expanding the damage from an initial foothold.
Denial of Service Weakness
The second vulnerability targets the Microsoft Defender Antimalware Platform itself, enabling an attacker to crash or severely impair Defender’s protection capabilities. While this flaw does not directly grant elevated privileges, it creates a critical window for follow on attacks by stripping away endpoint defenses. Both vulnerabilities have been publicly disclosed and are marked by Microsoft as having exploitation detected. Remediation is available through updated versions of the Microsoft Malware Protection Engine and the Antimalware Platform. Note that systems with Defender disabled may still appear vulnerable in scans because the affected binaries remain on disk, although such configurations are not considered exploitable in practice.
Source: Cyber Security News
