A critical vulnerability in Microsoft’s default anti-malware software, Windows Defender, has been patched with the release of the first Monthly Security Update on 2021 together with 83 additional security vulnerabilities.

Tracked as CVE-2021-1647, the remote code execution (RCE) flaw was found in the Malware Protection Engine component (mpengine.dll). The flaw has been exploited for the past three months and was leveraged by hackers as part of the massive SolarWinds attack, in which attackers had compromised internal networks and leveraged additional Microsoft products to conduct further attacks.

The attack’s complexity is low and would not require specialized access conditions for successful exploitation. The flaw also requires low privileges, wherein an attacker would need privileges that provide basic user capabilities, which normally only affect user-owned settings and files. An attacker could gain access remotely via SSH, locally by accessing the machine itself, or by tricking the user into performing an action that would trigger the bug, such as opening a malicious file. Microsoft stated that a proof-of-concept code (POC) is available, although the POC or technique may not work in all situations.


A. Actions to be Taken 

CERT-PH recommends the following actions be taken:

Immediately test and apply the corresponding patched versions of the affected system from January’s monthly update published by Microsoft. (https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan)