{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-001.pdf"
    },
    "title": "Microsoft Defender Remote Code Execution Vulnerability",
    "serial_number": "2021-001",
    "publish_date": "13-01-2021 14:10:00",
    "description": "On 12th of January 2021, Microsoft released several security advisories to address security vulnerabilities. One of the reported vulnerabilities - a remote code execution - affects Microsoft Defender and is actively exploited in the wild.",
    "url_title": "2021-001",
    "content_markdown": "---\ntitle: 'Microsoft Defender Remote\u00a0Code\u00a0Execution\u00a0Vulnerability'\nversion: '1.0'\nnumber: '2021-001'\ndate: 'January 13, 2021'\n---\n\n_History_\n\n* _13/01/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 12th of January 2021, Microsoft released several security advisories to address security vulnerabilities. One of the reported vulnerabilities -- a remote code execution -- affects Microsoft Defender and is **actively exploited** in the wild [1, 3].\n\n# Technical Details\n\nThe vulnerability is being tracked as CVE-2021-1647 and received CVSS:3.0 - score of 7.8. It is a remote code execution (RCE) found in the Malware Protection Engine component (`mpengine.dll`) [2]. The threat actor could execute code on vulnerable devices by tricking a user into opening a malicious document on a system where Defender is installed [3].\n\nAccording to Microsoft's exploitability assessment, the vulnerability is not publicly disclosed, but Microsoft is aware of instances of this vulnerability being exploited [1]. The technique is not functional in all situations, and is still considered to be at a proof-of-concept level. However, the code could evolve for more reliable attacks [3].\n\n# Affected Products\n\n* First version of the Microsoft Malware Protection Engine with this vulnerability addressed - Version 1.1.17700.4\n* Last version of the Microsoft Malware Protection Engine affected by this vulnerability - Version 1.1.17600.5 [1].\n\n# Recommendations\n\nCERT-EU recommends to update to a version of Microsoft Malware Protection Engine, where this vulnerability has been addressed (1.1.17700.4 or later).\n\nThe default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically [1]. Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions.\n\nEnd users that do not wish to wait can manually update their antimalware software [1].\n\n# References\n\n[1] <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>\n\n[2] <https://www.bleepingcomputer.com/news/security/microsoft-patches-defender-antivirus-zero-day-exploited-in-the-wild/>\n\n[3] <https://www.zdnet.com/article/microsoft-fixes-defender-zero-day-in-january-2021-patch-tuesday/>\n",
    "content_html": "<p><em>History</em></p><ul><li><em>13/01/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 12th of January 2021, Microsoft released several security advisories to address security vulnerabilities. One of the reported vulnerabilities -- a remote code execution -- affects Microsoft Defender and is <strong>actively exploited</strong> in the wild [1, 3].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability is being tracked as CVE-2021-1647 and received CVSS:3.0 - score of 7.8. It is a remote code execution (RCE) found in the Malware Protection Engine component (<code>mpengine.dll</code>) [2]. The threat actor could execute code on vulnerable devices by tricking a user into opening a malicious document on a system where Defender is installed [3].</p><p>According to Microsoft's exploitability assessment, the vulnerability is not publicly disclosed, but Microsoft is aware of instances of this vulnerability being exploited [1]. The technique is not functional in all situations, and is still considered to be at a proof-of-concept level. However, the code could evolve for more reliable attacks [3].</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>First version of the Microsoft Malware Protection Engine with this vulnerability addressed - Version 1.1.17700.4</li><li>Last version of the Microsoft Malware Protection Engine affected by this vulnerability - Version 1.1.17600.5 [1].</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends to update to a version of Microsoft Malware Protection Engine, where this vulnerability has been addressed (1.1.17700.4 or later).</p><p>The default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically [1]. Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions.</p><p>End users that do not wish to wait can manually update their antimalware software [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647\">https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/microsoft-patches-defender-antivirus-zero-day-exploited-in-the-wild/\">https://www.bleepingcomputer.com/news/security/microsoft-patches-defender-antivirus-zero-day-exploited-in-the-wild/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.zdnet.com/article/microsoft-fixes-defender-zero-day-in-january-2021-patch-tuesday/\">https://www.zdnet.com/article/microsoft-fixes-defender-zero-day-in-january-2021-patch-tuesday/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}