Issuing CNA: Microsoft

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An authenticated attacker who successfully exploited this vulnerability could prevent Microsoft Defender from starting.

See Manage Updates Baselines Microsoft Defender Antivirus for more information.

Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?

Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state.

Why is no action required to install this update?

In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Windows Defender Antimalware Platform. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Windows Defender Antimalware Platform updates and malware definitions, is working as expected in their environment.

How often are the Windows Defender Antimalware Platform and malware definitions updated?

Microsoft typically releases an update for the Windows Defender Antimalware Platform once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.

Depending on which Microsoft antimalware software is used and how it is configured, the software may search for platform, engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.

What is the Windows Defender Antimalware Platform?

The Windows Defender Antimalware Platform is a collection of user-mode binaries (e.g. MsMpEng.exe) and kernel-mode drivers that run on top of Windows to keep devices protected against new and prevalent threats.

Windows Defender uses the Windows Defender Antimalware Platform. On which products is Defender installed and active by default?

Defender runs on all supported versions of Windows.

Are there other products that use the Windows Defender Antimalware Platform?

Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials.

Does this update contain any additional security-related changes to functionality?

Yes.  In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features.

Suggested Actions

Verify that the update is installed

Customers should verify that the latest version of the Microsoft Malware Protection Platform and definition updates are being actively downloaded and installed for their Microsoft antimalware products.

1. Open the Windows Security program. For example, type Security in the Search bar, and select the Windows Security program.
2. In the navigation pane, select Virus & threat protection.
3. Under Virus & threat protection updates in the main window, select Check for updates
4. Select Check for updates again.
5. In the navigation pane, select Settings, and then select About.
6. Examine the Platform Version number. The update was successfully installed if the Malware Protection Platform version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed.

Information published.

Issuing CNA: Microsoft

Information published.

Issuing CNA: Microsoft

How could an attacker exploit this vulnerability?

An attacker could exploit the vulnerability by sending the user a malicious link or a malicious image via Instant Message and then convincing the user to click the link or image.

How do I get the update?

1. Click the Download link.
2. Under Skype for Desktop select the Get Skype for Windows 10 & 11 arrow to display download options.
3. Select from the following to download the version you need for your Desktop.

• Get Skype for Windows
• Get Skype for Mac
• Get Skype for Linux SNAP

To verify that you have the latest version of Skype installed, Select Settings > Help & Feedback.

For more information on how to update Skype, see Updating to the latest version of Skype.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality.

Information published.

Issuing CNA: Microsoft

What privileges could an attacker gain with a successful exploitation?

An unprivileged attacker with read only permissions can escalate to Root in the Border Gateway Protocol container and perform specific actions that enable them to escape the container.

Information published.

Issuing CNA: Microsoft

What actions do customers need to take to protect themselves from this vulnerability?

Customers with deployments created prior to Oct 19. 2023 must manually upgrade azure-core to Azure Core Build 1.29.5 or higher to be protected. For information reference the following: https://azure.github.io/azure-sdk/releases/latest/index.html. Customers with deployments created after October 19, 2023 recieved the fix automatically and no action is needed.

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send the user a malicious file and convince them to open it.

According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability?

An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim's information and the ability to alter information. Successful exploitation could also potentially cause downtime for the targeted environment.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

Information published.

Issuing CNA: Microsoft

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to physically access the target device. To gain access, an attacker must acquire the device after being unlocked by a legitimate user (target of opportunity) or possess the ability to pass device authentication or password protection mechanisms.

Information published.

Issuing CNA: Microsoft

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could execute code in the security context of the “NT AUTHORITY\Network Service” account.

Information published.

Issuing CNA: Microsoft

How could an attacker exploit this vulnerability?

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?

An authenticated victim who is connected to the network must be tricked or persuaded to connect to a malicious SQL database using their SQL client application. After the connection is made, the server can send specially crafted replies to the client that exploit the vulnerability and permit execution of arbitrary code within the context of the user's SQL client application.

Information published.

Issuing CNA: Microsoft

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

Issuing CNA: Microsoft

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

According to the CVSS metric, user interaction is required (UI:R). What does that mean for this vulnerability?

An administrative user must be convinced to open a malicious COM object like an .rtf file.

Information published.

Issuing CNA: Microsoft

How could an attacker exploit this vulnerability?

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?

An authenticated victim who is connected to the network must be tricked or persuaded to connect to a malicious SQL database using their SQL client application. After the connection is made, the server can send specially crafted replies to the client that exploit the vulnerability and permit execution of arbitrary code within the context of the user's SQL client application.

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

Issuing CNA: Microsoft

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.