Get in Touch Close Menu

MICROSOFT DEFENDER ZERO-DAY CVE-2021-1647

5 April 2021

On the 12th of January 2021, Microsoft released the first cumulative patch of the new year, with eighty-three security vulnerabilities rectified across a range of Microsoft products. The most significant of these fixes related to a zero-day vulnerability within Microsoft Defender, the integrated anti-virus of Windows operating systems.

This vulnerability is being tracked and identified as CVE-2021-1647 and described as a Remote Code Execution (RCE) vulnerability allowing threat actors to infect target systems with executable code.

Researchers believe that threat actors leveraged this vulnerability following the recent SolarWinds supply-chain attack which affected dozens of government and private organisations.

Threat intelligence indicates that while this exploit has been identified in the wild, the technical details of the exploit have yet to be made publicly available. Whilst the attack complexity is low, the exploitation of the vulnerability itself would require a high degree of skill for an exploit to be successful.

The vulnerability is triggered when a crafted file is scanned by Microsoft Defender; this will happen automatically without user intervention. The crafted file needs to be present on the target for successful exploitation. Placing a file on a target host can be achieved through vectors such phishing e-mails with attachments, fraudulent links, or legitimate files tainted at the source by an attacker.

This vulnerability exploits the Microsoft Malware Protection Engine. This engine receives automatic updates outside the normal patching cycle, minimising the time a system is be exposed to threats. As such, most systems will already be patched unless an administrator has intentionally blocked updates. Where this has occurred, we recommend applying the latest patches as a matter of urgency.

More details are available here:

ZD Net – https://www.zdnet.com/article/microsoft-fixes-defender-zero-day-in-january-2021-patch-tuesday/
Krebs on Security – https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/
Threat Post – https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/
Microsoft Security Response Centre – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647

Related Articles

CRING RANSOMWARE
22 April 2021

In April, Sapphire threat intelligence resources identified a sophisticated ransomware campaign utilising the Cring malware and leveraging vulnerability (CVE-2018-13379), identified in 2019 affecting Fortinet VPN Servers. This allows a threat actor to connect to the VPN appliance with no authentication and download session files containing usernames and passwords in clear text. Though this vulnerability has […]

Find Out More
VULNERABILITY ASSESSMENT VS PENETRATION TESTING
10 April 2021

VULNERABILITY ASSESSMENT VS PENETRATION TESTING To protect your business from hackers, it is essential to know what level of risk your business is at. It must then be decided whether a penetration test or a vulnerability assessment is appropriate for you. It is important to know the difference between the two and the varying levels […]

Find Out More
SOC ENGINEER – GLASGOW
9 April 2021

Sapphire is looking for a Security Operations Centre Engineer to build and grow our Managed Services solutions and technologies in Glasgow. The role is for an experienced, enthusiastic individual to join our Security Operations Centre and lead the delivery of our managed services. The position focuses on customer deployments and our SOC infrastructure’s operation, whilst […]

Find Out More