Описание
Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when Windows Defender antimalware platform improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The security update addresses the vulnerability by correcting how Windows Defender antimalware platform handles hard links.
FAQ
| References | Identification |
|---|---|
| Last version of the Windows Defender antimalware platform affected by this vulnerability | Version 4.18.2001.111 and earlier antimalware platform |
| First version of the Windows Defender antimalware platform with this vulnerability addressed | Version 4.18.2001.112 and earlier antimalware platform |
| Last version of the Windows Defender antimalware platform running on Windows 8.1 affected by this vulnerability | 4.10.x.x, 4.9.x.x, 4.8.0.0 – 4.8.10240.0, 4.7.x.x and below |
| First version of the Windows Defender antimalware platform running on Windows 8.1 with this vulnerability addressed | Version 4.8.10240.18543 |
| Last version of the Windows Defender antimalware platform running on Windows 10 affected by this vulnerability | Version 4.8.10240.17394 |
| First version of the Windows Defender antimalware platform running on Windows 10 with this vulnerability addressed | Version 4.8.10240.18964 |
Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates the Windows Defender antimalware platform in addition to signatures and the protection engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.
For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender antimalware platform are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.
Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Windows Defender antimalware platform updates and malware definitions, is working as expected in their environment.
How often is the Windows Defender antimalware platform updated?
Microsoft typically releases an update for the Windows Defender antimalware platform once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.
Depending on which Microsoft antimalware software is used and how it is configured, the software may search for platform, engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.
What is the Windows Defender antimalware platform?
The Windows Defender antimalware platform, is the platform leveraged by Microsoft security products – offering platform integration for the antimalware engine and signatures. It provides functionality like real time and scheduled/on-demand scanning, updating and reporting.
Does this update contain any additional security-related changes to functionality?
Yes. In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features.
Where can I find more information about Microsoft antimalware technology?
For more information, visit the Microsoft Malware Protection Center website.
Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?
Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state.
Suggested Actions
Verify that the update is installed
Customers should verify that the latest version of the Windows Defender antimalware platform and definition updates are being actively downloaded and installed for their Microsoft antimalware products.
For more information on how to verify the version number for the Windows Defender antimalware platform that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.
For affected software, verify that the Windows Defender antimalware platform version is 4.18.2001.112 or later.
If necessary, install the update
Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Windows Defender antimalware platform and definition updates are being actively downloaded, approved and deployed in their environment.
For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.
End users that do not wish to wait can manually update their antimalware software.
For more information on how to manually update the Windows Defender antimalware platform and malware definitions, refer to Microsoft Knowledge Base Article 2510781. Also see the following articles:
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
Связанные уязвимости
An elevation of privilege vulnerability exists when Windows Defender antimalware platform improperly handles hard links, aka 'Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability'.
An elevation of privilege vulnerability exists when Windows Defender antimalware platform improperly handles hard links, aka 'Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability'.
Уязвимость Защитника Microsoft (Windows Defender) операционной системы Windows, позволяющая нарушителю повысить свои привилегии
EPSS