Microsoft Is Urgently Warning Users of Zero-Day Flaws Being Exploited
Last updated September 23, 2021
The first ‘Patch Tuesday’ to kick-off 2021 has Microsoft fixing 83 vulnerabilities across its various products, with one being an actively exploited zero-day in Windows Defender (CVE-2021-1647). It is to be found on all Windows installations out there as it’s the default AV/AM tool of the OS.
The particular bug enables attackers to engage in remote code execution because of an error in handling the parsing of information structures in certain executables. One would have to craft a special file that would trigger a Windows Defender scan to exploit it.
One thing to clarify is that if the user has manually disabled the Defender or has installed a third-party AV product that automatically disables Microsoft’s tool, then the attack would not work. That said, if applying the patch right now is impossible, a temporary mitigation would be to deactivate Defender.
A second vulnerability that may be under active exploitation but not definitely is 'CVE-2021-1709'. This is a bug in the Win32k component, which could enable an attacker to gain escalation of privilege on the target system through memory corruption. This bug presupposed local access to the target system, so it’s not as critical.
Other notable important flaws that were fixed with the latest patch are the following:
Of course, there are many more flaws, and their importance is not always reflected by the individual CVVS scores, as people use different components, configurations, and tools. Thus, the best way to stay safe and protected against hacking risks would be to just apply the patch and address everything.
As always, be sure to backup your data before applying the update, as things can always go wrong in the patching process. Even if you blindly trust Windows testers, a power outage during the update (which would lead to a corrupted filesystem) is always a possibility, so don’t risk it.