Vulnerabilities Under Active Exploitation
Microsoft has disclosed that two security flaws in its Microsoft Defender antimalware platform are being actively exploited in the wild. The first is a privilege escalation vulnerability that allows an attacker to elevate their access to SYSTEM level, which is the highest level of access on a Windows machine. This flaw occurs due to improper handling of file links before access. The second vulnerability is a denial of service issue that can crash Defender and disrupt system protection.
Both vulnerabilities have been addressed in updated versions of the Defender Antimalware Platform. Microsoft has not formally confirmed, but the descriptions of these flaws closely match two publicly disclosed zero-days, named RedSun and UnDefend. Security researchers at Huntress have confirmed observing exploitation attempts in real world environments, sometimes in combination with a third related flaw.
Update and Mitigation Steps
Microsoft has released patched versions 1.1.26040.8 and 4.18.26040.7 of the Defender platform. The update also resolves a separate heap based buffer overflow vulnerability that could allow remote code execution, though there is no evidence that particular flaw has been exploited yet. Systems that have Microsoft Defender disabled are not exposed to these vulnerabilities.
The company emphasizes that no manual action is needed for most users, as Defender automatically downloads and installs malware definition updates and engine updates. To manually verify the latest version is active, users can open the Windows Security program and check the protection updates section. Microsoft credited five different researchers for reporting the privilege escalation flaw, including Sibusiso, Diffract, Andrew C. Dorman, Damir Moldovanov, and an anonymous contributor.
Source: The Hacker News
