On the 12th of January 2021, Microsoft released the first cumulative patch of the new year, with eighty-three security vulnerabilities rectified across a range of Microsoft products. The most significant of these fixes related to a zero-day vulnerability within Microsoft Defender, the integrated anti-virus of Windows operating systems.
This vulnerability is being tracked and identified as CVE-2021-1647 and described as a Remote Code Execution (RCE) vulnerability allowing threat actors to infect target systems with executable code.
Researchers believe that threat actors leveraged this vulnerability following the recent SolarWinds supply-chain attack which affected dozens of government and private organisations.
Threat intelligence indicates that while this exploit has been identified in the wild, the technical details of the exploit have yet to be made publicly available. Whilst the attack complexity is low, the exploitation of the vulnerability itself would require a high degree of skill for an exploit to be successful.
The vulnerability is triggered when a crafted file is scanned by Microsoft Defender; this will happen automatically without user intervention. The crafted file needs to be present on the target for successful exploitation. Placing a file on a target host can be achieved through vectors such phishing e-mails with attachments, fraudulent links, or legitimate files tainted at the source by an attacker.
This vulnerability exploits the Microsoft Malware Protection Engine. This engine receives automatic updates outside the normal patching cycle, minimising the time a system is be exposed to threats. As such, most systems will already be patched unless an administrator has intentionally blocked updates. Where this has occurred, we recommend applying the latest patches as a matter of urgency.
More details are available here: